Lawful Permanent Resident - https://ohss.dhs.gov/topics/immigration/lawful-permanent-res....

It's the official status of green card holders.

The fact that some root stores/browsers don't trust some CAs is actually quite common. There will be some cross-sign from another CA that is trusted in Firefox in this case.

Stuff like this is quite common; we published a paper on this recently if you are interested in details: https://arxiv.org/abs/2009.08772

https://medium.com/@sleevi_/path-building-vs-path-verifying-... also has some utilities to visualize this using JS to explore these relationships, and understand the code tradeoffs.

Was in Tokyo last week and this week.

Depending on the day my guess was that 40-70% of people were wearing masks - more on public transit.

I assume that you mostly were at the Airport or public transit/other huge venues - otherwise I cannot really explain our different experiences.

Even their old device (DPTS1) can do that - so I would assume yes.

Most clients nowadays sent the "server name indication" (SNI) TLS extension though, which contains the name of the site you are connecting to.

The extension is sent unencrypted, even when using TLS 1.3. So everyone sniffing the traffic can tell where you are surfing to, even without DNS.

I don't think many people know this, or at least never think about it. "https means encrypted, that means secret."

And in order to support clients that don't support SNI, you need to have one domain per IP address so an attacker can just try and connect to that IP and then look at the SSL cert that's sent back to get the domain name.

>And in order to support clients that don't support SNI

There is little reason to support clients that do not support SNI. By supporting those clients you are likely putting your entire encrypted infrastructure at risk. SSL3 should be disabled by now. XP clients are legacy and should be taken out back and shot. Older mobile phones are enormous security risks.

If you are interested in tcpdump and use it for debugging, you might potentially also be interested in the Bro network monitoring system (http://bro.org).

It gives you very deep visibility in the supported protocols, dumps easy to parse log-files by default (see e.g. https://www.bro.org/sphinx-git/httpmonitor/index.html for HTTP information) - and it is fully scriptable.

(Disclaimer: I am involved with the project.)

Here you go - http://z-machine.appspot.com/game/ztrek/play/

(It is actually not emscripten -- it uses a z-machine emulator I adapted to js a long time ago to run the z-machine version of star trek. But - should be good enough :) )

Thank you!! :D