(ℹ) Join us now at the IRC channel | ䷉ Find the plain text version at this address (HTTP) or in Gemini (how to use Gemini).
*GNUmoon2 has quit (Ping timeout: 2m30s) | Dec 08 01:20 | |
*u-amarsh04 has quit (Quit: Konversation terminated!) | Dec 08 01:26 | |
schestowitz | https://twitter.com/TheDickKnightV2/status/1468226178750324823 | Dec 08 01:26 |
---|---|---|
-TechBytesBot/#techbytes-@TheDickKnightV2: @schestowitz I would love to hear how they plan to enforce safe storage laws. California has them and it surely hasn’t been working. | Dec 08 01:26 | |
schestowitz | https://twitter.com/IMDibe/status/1468183100228259846 | Dec 08 01:26 |
-TechBytesBot/#techbytes-@IMDibe: @schestowitz Junk reporting. | Dec 08 01:26 | |
*GNUmoon2 (~GNUmoon@9usr6fbbjhvag.irc) has joined #techbytes | Dec 08 01:26 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 01:28 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 01:29 | |
*u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes | Dec 08 01:33 | |
schestowitz | Re: Certificates on TechRights | Dec 08 01:36 |
schestowitz | > Hi Roy, | Dec 08 01:36 |
schestowitz | > | Dec 08 01:36 |
schestowitz | > I am conversing with the author of a fairly popular site | Dec 08 01:36 |
schestowitz | > ( guide) and talking about site certificates. | Dec 08 01:36 |
schestowitz | > (see below) | Dec 08 01:36 |
schestowitz | > Do you have any thoughts or recommend any articles on where | Dec 08 01:36 |
schestowitz | > this is going? | Dec 08 01:36 |
schestowitz | > | Dec 08 01:36 |
schestowitz | > all good wishes, | Dec 08 01:37 |
schestowitz | My answer in-line, below: | Dec 08 01:37 |
schestowitz | > Date: Mon, 06 Dec 2021 13:31:56 +0000 | Dec 08 01:37 |
schestowitz | > From: | Dec 08 01:37 |
schestowitz | > To: | Dec 08 01:37 |
schestowitz | > Subject: Re: Article on teaching cybersecurity | Dec 08 01:37 |
schestowitz | > | Dec 08 01:37 |
schestowitz | > You might suggest to that he add download links for his | Dec 08 01:37 |
schestowitz | > podcast episodes. I almost never listen to podcasts on my computer. | Dec 08 01:37 |
schestowitz | > I listen when I'm away from my computer, while doing other things. | Dec 08 01:37 |
schestowitz | > | Dec 08 01:37 |
schestowitz | > I would be interested to know why Roy uses a self-signed certificate. | Dec 08 01:37 |
schestowitz | > I'm considering writing an article that delves into how much of | Dec 08 01:37 |
schestowitz | > browser security warnings are justified and how much are not. It | Dec 08 01:37 |
schestowitz | > occurs to me that websites that are HTTP only or that use self-signed | Dec 08 01:37 |
schestowitz | > certificates may be the new darkweb. | Dec 08 01:37 |
schestowitz | The term "darkweb" is a meaningless buzzword that should be avoided. People who say "darkweb" help the likes of BBC perpetuate ruinous myths, e.g. about a forum that requires a username/password to access. | Dec 08 01:37 |
schestowitz | >I wonder if their owners want | Dec 08 01:37 |
schestowitz | > their sites to be hidden, simply don't care, or their sites are | Dec 08 01:37 |
schestowitz | > completely driven by word-of-mouth traffic. | Dec 08 01:37 |
schestowitz | This is untrue. The site has HTTPS support, the certificate is signed, but it does not outsource trust to untrustworthy hacks: | Dec 08 01:37 |
schestowitz | http://techrights.org/2020/11/07/free-privacy-lunch/ | Dec 08 01:37 |
schestowitz | Aporopos: http://techrights.org/wiki/Linux_Foundation | Dec 08 01:37 |
-TechBytesBot/#techbytes-techrights.org | Let’s Encrypt is Garbage, Albeit It’s Disguised as ‘Free’ Privacy | Techrights | Dec 08 01:37 | |
-TechBytesBot/#techbytes-techrights.org | Linux Foundation - Techrights | Dec 08 01:37 | |
schestowitz | There are also purely technical reasons, but that's a longer debate. | Dec 08 01:37 |
schestowitz | Gemini strictly requires certificates, but fully and happily supports self-signing. | Dec 08 01:37 |
schestowitz | A Web that is centralised isn't worth having. | Dec 08 01:37 |
schestowitz | Also: http://techrights.org/2020/03/04/lets-ask-lets-encrypt/ | Dec 08 01:37 |
schestowitz | Please pass along my feedback and consider writing about it. Your article was very well received and we'd love to publish more like it. | Dec 08 01:37 |
-TechBytesBot/#techbytes-techrights.org | Techrights Urges Readers to Ask the Linux Foundation’s Let’s Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions | Techrights | Dec 08 01:37 | |
schestowitz | Kind regards, | Dec 08 01:37 |
schestowitz | Fwd: AI in an IP world | Dec 08 01:38 |
schestowitz | A group of colleagues at Reddie & Grose recently published a newsletter called AI in an IP world which features “a collection of insights into how patents can protect AI related inventions”. | Dec 08 01:38 |
schestowitz | I think it’s worth a read: | Dec 08 01:38 |
schestowitz | AI in an IP world - Intellectual Property Law - Reddie & Grose | Dec 08 01:38 |
schestowitz | AI in an IP world - Intellectual Property Law - Reddie & Grose | Dec 08 01:38 |
schestowitz | Reddie & Grose’s Artificial Intelligence (AI) newsletter, a collection of insights into how patents can protect AI related inventions, and what AI can do for the intellectual property world. | Dec 08 01:38 |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 01:41 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 01:41 | |
*u-amarsh04 has quit (Quit: Konversation terminated!) | Dec 08 02:04 | |
*GNUmoon2 has quit (Ping timeout: 2m30s) | Dec 08 02:13 | |
*GNUmoon2 (~GNUmoon@6ujf8e7nw8qfi.irc) has joined #techbytes | Dec 08 02:13 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 02:43 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 02:43 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 02:55 | |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 02:55 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 03:57 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 03:57 | |
*techrights_guest|12 has quit (Quit: Connection closed) | Dec 08 03:57 | |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 04:42 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 04:43 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 04:51 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 04:51 | |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 05:03 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 05:04 | |
*DaemonFC has quit (Quit: Leaving) | Dec 08 05:41 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 05:42 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 05:42 | |
*GNUmoon2 has quit (Ping timeout: 2m30s) | Dec 08 06:07 | |
*u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes | Dec 08 06:45 | |
*GNUmoon2 (~GNUmoon@6msztc2mupc3w.irc) has joined #techbytes | Dec 08 06:53 | |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 07:06 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 07:06 | |
*Grass has quit (Connection closed) | Dec 08 08:13 | |
*liberty_box_ has quit (Ping timeout: 2m30s) | Dec 08 08:40 | |
*liberty_box has quit (Ping timeout: 2m30s) | Dec 08 08:40 | |
*liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 08:40 | |
*liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes | Dec 08 08:41 | |
schestowitz | > Thanks for these good responses and article links Roy. | Dec 08 09:17 |
schestowitz | > | Dec 08 09:17 |
schestowitz | > I too wish we could stop outsourcing "trust" to these obviously | Dec 08 09:17 |
schestowitz | > untrustworthy corporations. As I said, imho the problem lies with | Dec 08 09:17 |
schestowitz | > browser developers who make "user friendly" (corporate spyware), and | Dec 08 09:17 |
schestowitz | > web technology whose current level of complexity is completely broken. | Dec 08 09:17 |
schestowitz | > | Dec 08 09:17 |
schestowitz | > Maybe Gemini will give us back an "informative web". | Dec 08 09:17 |
schestowitz | Subject: Re: Certificates on TechRights | Dec 08 09:21 |
schestowitz | [sorry for the length of the reply] | Dec 08 09:21 |
schestowitz | >> I would be interested to know why Roy uses a self-signed certificate. | Dec 08 09:21 |
schestowitz | >> I'm considering writing an article that delves into how much of | Dec 08 09:21 |
schestowitz | >> browser security warnings are justified and how much are not. It | Dec 08 09:21 |
schestowitz | >> occurs to me that websites that are HTTP only or that use self-signed | Dec 08 09:21 |
schestowitz | >> certificates may be the new darkweb. | Dec 08 09:21 |
schestowitz | > | Dec 08 09:21 |
schestowitz | > The term "darkweb" is a meaningless buzzword that should be avoided. | Dec 08 09:22 |
schestowitz | > People who say "darkweb" help the likes of BBC perpetuate ruinous myths, | Dec 08 09:22 |
schestowitz | > e.g. about a forum that requires a username/password to access. | Dec 08 09:22 |
schestowitz | I would say that those security warnings are mostly about control and | Dec 08 09:22 |
schestowitz | not about ensuring the integrity or confidentiality of communications. | Dec 08 09:22 |
schestowitz | But first about Tor. The project used to have a more detailed page | Dec 08 09:22 |
schestowitz | explaining its user base, but the gist remains: | Dec 08 09:22 |
schestowitz | https://donate.torproject.org/donor-faq/ | Dec 08 09:22 |
-TechBytesBot/#techbytes-donate.torproject.org | Tor Project | donor-faq | Dec 08 09:22 | |
schestowitz | Their site has gotten much less informative and significantly wordier | Dec 08 09:22 |
schestowitz | recently. Here are some of their links to some scripts, as PDF, | Dec 08 09:22 |
schestowitz | carrying text about the topic: | Dec 08 09:22 |
schestowitz | https://community.torproject.org/user-research/reports/ | Dec 08 09:22 |
schestowitz | (For what it's worth, Tor is not the only privacy network. There are | Dec 08 09:22 |
-TechBytesBot/#techbytes-community.torproject.org | Tor Project | Reports | Dec 08 09:22 | |
schestowitz | I2P and Freenet, to name just two more.) | Dec 08 09:22 |
schestowitz | One of the ways that TR itself uses Tor is to read news in countries | Dec 08 09:22 |
schestowitz | that block outside access. Another use-case is it provides a steady | Dec 08 09:22 |
schestowitz | address as well as the ability to "NAT punch" for road warriors and | Dec 08 09:22 |
schestowitz | those in similar situations. | Dec 08 09:22 |
schestowitz | Now about self-signed certificates, I too observe that the major web | Dec 08 09:22 |
schestowitz | browsers¹, and allied institutions and businesses, have oriented their | Dec 08 09:22 |
schestowitz | software and activities to discourage, disparage, and/or block | Dec 08 09:22 |
schestowitz | self-signed certificates for web sites. Note the bad "safety" rating | Dec 08 09:22 |
schestowitz | that Netcraft gives such HTTPS sites. | Dec 08 09:22 |
schestowitz | However, the harm is greater and more insidious than it looks like at | Dec 08 09:22 |
schestowitz | first glance: the self-signed part does not refer to the certificate | Dec 08 09:22 |
schestowitz | signing itself. The self-signed part refers to the act when an | Dec 08 09:22 |
schestowitz | institution (project, business, school, whatever) signs its own. Those | Dec 08 09:22 |
schestowitz | discouraging self-signing are doing no less than attacking the authority | Dec 08 09:22 |
schestowitz | of those institutions to be allowed to testify themselves as to the | Dec 08 09:22 |
schestowitz | integrity and confidentiality of their own communications. | Dec 08 09:22 |
schestowitz | At the same time as people are discouraged from trusting certificates | Dec 08 09:22 |
schestowitz | the make themselves and are not from big, brand-named companies, they | Dec 08 09:22 |
schestowitz | are encouraged to blindly trust all the certificates which have been | Dec 08 09:22 |
schestowitz | preloaded into their Web browsers. I am not familiar enough with | Dec 08 09:22 |
schestowitz | packaging to say what has come from where but in Ubuntu, for example, | Dec 08 09:22 |
schestowitz | there are hundreds of such certificates: | Dec 08 09:22 |
schestowitz | $ ls /etc/ssl/certs/ | wc -l | Dec 08 09:22 |
schestowitz | 257 | Dec 08 09:22 |
schestowitz | Any of those hundreds³ can MitM the communication to observe or change | Dec 08 09:22 |
schestowitz | the message. See from the EFF back when it focused on its core mission: | Dec 08 09:22 |
schestowitz | https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl | Dec 08 09:23 |
-TechBytesBot/#techbytes-www.eff.org | New Research Suggests That Governments May Fake SSL Certificates | Electronic Frontier Foundation | Dec 08 09:23 | |
schestowitz | In the case of scripts, such as PDF or Javascript, those changes means | Dec 08 09:23 |
schestowitz | unprivileged access to the system, at least initially. Once local, | Dec 08 09:23 |
schestowitz | there are usually many ways to pivot to privileged access if that is the | Dec 08 09:23 |
schestowitz | goal. A perennial on most systems is RowhammerJS², I presume. Be that | Dec 08 09:23 |
schestowitz | as it may, even unprivileged access allows monitoring of the data going | Dec 08 09:23 |
schestowitz | either direction. | Dec 08 09:23 |
schestowitz | tldr; It's about freedom yet again: The self-signed aspect refers to | Dec 08 09:23 |
schestowitz | the act when an institution signs the very encryption keys it will | Dec 08 09:23 |
schestowitz | itself use. | Dec 08 09:23 |
schestowitz | xxxxxxxxxxxxxxxxxxxxxxxxxx | Dec 08 09:23 |
schestowitz | ---- | Dec 08 09:23 |
schestowitz | ¹ certificates are used by far more than the web. Some of these require | Dec 08 09:23 |
schestowitz | certificate, for others it is optional but highly recommended: Tor, SSH, | Dec 08 09:23 |
schestowitz | Gemini, SMTP, MQTT, MySQL/PostgreSQL, etc. Either way, signing an | Dec 08 09:23 |
schestowitz | institutions own certificates ensures both the confidentiality and | Dec 08 09:23 |
schestowitz | integrity of the communications. | Dec 08 09:23 |
schestowitz | See a small subset of examples, with or without TLS, mostly with: | Dec 08 09:23 |
schestowitz | https://en.wikipedia.org/wiki/National_identity_cards_in_the_European_Union#Electronic_identity_cards | Dec 08 09:23 |
-TechBytesBot/#techbytes-en.wikipedia.org | National identity cards in the European Economic Area - Wikipedia | Dec 08 09:23 | |
schestowitz | https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication | Dec 08 09:23 |
-TechBytesBot/#techbytes-en.wikibooks.org | OpenSSH/Cookbook/Certificate-based Authentication - Wikibooks, open books for an open world | Dec 08 09:23 | |
schestowitz | https://dev.mysql.com/doc/refman/8.0/en/encrypted-connections.html | Dec 08 09:23 |
-TechBytesBot/#techbytes-dev.mysql.com | MySQL :: MySQL 8.0 Reference Manual :: 6.3 Using Encrypted Connections | Dec 08 09:23 | |
schestowitz | https://core.telegram.org/mtproto/transports | Dec 08 09:23 |
-TechBytesBot/#techbytes-core.telegram.org | Transports | Dec 08 09:23 | |
schestowitz | https://signal.org/blog/certifiably-fine/ | Dec 08 09:23 |
-TechBytesBot/#techbytes-signal.org | NO TITLE | Dec 08 09:23 | |
schestowitz | https://www.ftptoday.com/blog/explicit-ftps-vs-implicit-ftps-what-you-need-to-know (FTP is deprecated even when mixed with TLS) | Dec 08 09:23 |
-TechBytesBot/#techbytes-www.ftptoday.com | Explicit FTPS vs. Implicit FTPS: What You Need to Know | Dec 08 09:23 | |
schestowitz | http://www.postfix.org/TLS_README.html | Dec 08 09:23 |
-TechBytesBot/#techbytes-www.postfix.org | Postfix TLS Support | Dec 08 09:23 | |
schestowitz | https://gemini.circumlunar.space/docs/tls-tutorial.gmi | Dec 08 09:23 |
-TechBytesBot/#techbytes-gemini.circumlunar.space | TLS, client certificates, TOFU, and all that jazz | Dec 08 09:23 | |
schestowitz | https://forums.raspberrypi.com/viewtopic.php?t=287326 | Dec 08 09:23 |
-TechBytesBot/#techbytes-forums.raspberrypi.com | Some Notes on setting up MQTT over TLS - Raspberry Pi Forums | Dec 08 09:23 | |
schestowitz | Note that last one has inaccuracies like most TLS guides do. | Dec 08 09:23 |
schestowitz | ----- | Dec 08 09:23 |
schestowitz | ² https://arxiv.org/abs/1507.06955 | Dec 08 09:23 |
schestowitz | ----- | Dec 08 09:23 |
schestowitz | ³ If I understand the model correctly, that ability extends indefinitely | Dec 08 09:23 |
-TechBytesBot/#techbytes-arxiv.org | [1507.06955] Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript | Dec 08 09:23 | |
schestowitz | down the chain of certificates which can trace their trust back to many | Dec 08 09:23 |
schestowitz | of those 257. Even going with the surface claims of certificate issuer, | Dec 08 09:23 |
schestowitz | it looks bad: | Dec 08 09:23 |
schestowitz | for c in /etc/ssl/certs/*; | Dec 08 09:23 |
schestowitz | do openssl x509 -text -noout -in $c; | Dec 08 09:23 |
schestowitz | done | awk '($1=$1) && $1=="Issuer:"' | sort | less | Dec 08 09:23 |
schestowitz | another noteworthy aspect is: the extra complexity and risk of non-renewal (why expiry so rapid in LE?) encourages outsourcing and centralisation. Complexity like systemd, which might help sell support contracts rather than hire competent engineers in-house. | Dec 08 09:25 |
schestowitz | <li> | Dec 08 09:26 |
schestowitz | <h5><a href="https://www.techrepublic.com/article/rss-readers-linux-users/">4 RSS readers every Linux user should try</a></h5> | Dec 08 09:26 |
-TechBytesBot/#techbytes- ( status 404 @ https://www.techrepublic.com/article/rss-readers-linux-users/%22%3e4 ) | Dec 08 09:26 | |
schestowitz | <blockquote> | Dec 08 09:26 |
schestowitz | <p>Standards like RSS are maybe the most underrated and underutilized feature of the modern web. RSS feeds are plain text files that every website publishes at a fixed address, with an explicit link or the common RSS icon. Those feeds are continuously rewritten with headlines, excerpts and links to the full versions of all the latest additions to that website. Then, using programs called RSS readers, or aggregators, you can | Dec 08 09:26 |
schestowitz | automatically download and read as many RSS feeds you want, whenever you want, in one window. It's hard to overstate how great this is, because: [...]</p></blockquote></li> | Dec 08 09:26 |
*tech_exorcist (~tech_exorcist@svp6nvmiuarba.irc) has joined #techbytes | Dec 08 10:04 | |
*tech_exorcist has quit (connection closed) | Dec 08 10:24 | |
*u-amarsh04 has quit (Quit: Konversation terminated!) | Dec 08 10:56 | |
*tech_exorcist (~tech_exorcist@r7zq4q2ys63yk.irc) has joined #techbytes | Dec 08 11:01 | |
*u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes | Dec 08 11:03 | |
*DaemonFC (~daemonfc@ddstkmbt93p8q.irc) has joined #techbytes | Dec 08 11:10 | |
*psydroid2 (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes | Dec 08 11:39 | |
*screenplays (~roybsd@joseon-daa.91g.0nvsnc.IP) has joined #techbytes | Dec 08 11:53 | |
*DaemonFC has quit (Quit: Leaving) | Dec 08 12:01 | |
*GNUmoon2 has quit (Ping timeout: 2m30s) | Dec 08 12:44 | |
*GNUmoon2 (~GNUmoon@b4jjzquhwb7y2.irc) has joined #techbytes | Dec 08 13:00 | |
*tech_exorcist has quit (Quit: bbl) | Dec 08 15:10 | |
*tech_exorcist (~tech_exorcist@kmujm4s8xqrtu.irc) has joined #techbytes | Dec 08 15:17 | |
*DaemonFC (~daemonfc@ddstkmbt93p8q.irc) has joined #techbytes | Dec 08 17:20 | |
*tech_exorcist has quit (Quit: see you tomorrow) | Dec 08 17:31 | |
*tech_exorcist (~tech_exorcist@iwskee978x32q.irc) has joined #techbytes | Dec 08 17:31 | |
*tech_exorcist has quit (connection closed) | Dec 08 17:32 | |
*screenplays has quit (Connection closed) | Dec 08 18:39 | |
*tech_exorcist (~tech_exorcist@9z833ybby7ta4.irc) has joined #techbytes | Dec 08 19:43 | |
*DaemonFC has quit (Ping timeout: 2m30s) | Dec 08 19:53 | |
*tech_exorcist has quit (connection closed) | Dec 08 20:17 | |
*tech_exorcist (~tech_exorcist@dmw5b4ab5hxvs.irc) has joined #techbytes | Dec 08 20:17 | |
*GNUmoon2 has quit (Ping timeout: 2m30s) | Dec 08 21:05 | |
schestowitz | https://www.fosslife.org/4-rss-readers-linux | Dec 08 21:21 |
-TechBytesBot/#techbytes-www.fosslife.org | 4 RSS Readers for Linux | Dec 08 21:21 | |
schestowitz | " | Dec 08 21:21 |
schestowitz | RSS readers are a great way to get all the online news you want without distractions or advertising, says Marco Fioretti. | Dec 08 21:21 |
schestowitz | Here are four RSS feeders focused on efficiency and privacy that you can use on your Linux-based machine. | Dec 08 21:21 |
schestowitz | " | Dec 08 21:21 |
*tech_exorcist has quit (Quit: see you tomorrow) | Dec 08 21:35 | |
*Yakut (~evil@joseon-6la.bbr.j4127h.IP) has joined #techbytes | Dec 08 22:12 | |
*Yakut (~evil@joseon-6la.bbr.j4127h.IP) has left #techbytes | Dec 08 22:13 | |
*DaemonFC (~daemonfc@fx43r9f9r7aj8.irc) has joined #techbytes | Dec 08 23:09 |
Generated by irclog2html.py
2.6 | ䷉ find the plain text version at this address (HTTP) or in Gemini (how to use Gemini).