public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed
From: John Goerzen <jgoerzen@complete•org>
To: Sergey Matveev <stargrave@stargrave•org>
Cc: nncp-devel@lists.cypherpunks.ru
Subject: Re: Website TLS certificates
Date: Tue, 03 Aug 2021 10:58:13 -0500 [thread overview]
Message-ID: <8735rqy0yy.fsf@complete.org> (raw)
In-Reply-To: <YPh2cwRlnbZ/JVE+@stargrave.org>
On Wed, Jul 21 2021, Sergey Matveev wrote:
> *** Jonathan Lane [2021-07-21 18:47]:
>>Is there a plan to get proper SSL certificates for the website?
>>I can't
>>access them from either w3m or Firefox on my machine because of
>>trust
>>issues.
>
> I do not know any free CAs that are both can by trusted by me
> and major
> OS/browser vendors. And definitely won't play in those business
> (not
> security) games. Major OS/browser vendors, being US-based, were
> forced
> to reject/remove all free CAs that are not under USA/NATO
> control to
> create their own one (Let's Encrypt) under "proper"
> jurisdiction. Great
> and very clever move indeed, because now the most part of the
> Web is
> authenticated by single centralized USA/NATO-control entity.
Hi Sergey,
So just today I had an exchange here, with a person wondering why
the TLS for a thing that's all about encryption is broken. You
can find it here:
https://floss.social/web/statuses/106691934299110939
The person I was corresponding with wrote, "With the cost of TLS
certs being free, why would your group not encrypt? Your group is
all about encryption!" This was AFTER I sent him a link to your
post in the NNCP archives.
> * Paid ones -- no way. They are not about security, but
> business.
> * Let's Encrypt -- clearly it can be used for authentication
> forging.
> So why bother? Encryption could be done anyway.
I'm not familiar with this problem with Let's Encrypt (and would
be happy to learn more).
I have been using it for some years now with good success.
As for "why bother", I think we can recognize that TLS with Let's
Encrypt does provide some measure of improvement, even if
imperfect.
But the more important reason is: if we're looking to build
something that attracts security-conscious people, it's big
perception problem when it LOOKS like "the project can't even
configure TLS for their website correctly". It leads to a lack of
trust from people that could really benefit from NNCP.
To be honest, when I was first looking into NNCP, that put me off
as well. I eventually got past that, obviously, but not everyone
may.
How can I help?
If you don't want to run Let's Encrypt yourself, perhaps I could:
- Operate a mirror of www.nncpgo.org that does support TLS (that
would be pretty easy, probably, since it's just built out of the
source tree)
- Work with others to raise funds cover the cost of a TLS cert
from a vendor you trust (especially if it's not too expensive)
I really want to make sure barriers to entry are low of people to
get involved!
- John
next prev parent reply other threads:[~2021-08-03 15:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13 ` John Goerzen
2021-07-21 19:32 ` Website TLS certificates Sergey Matveev
2021-08-03 15:58 ` John Goerzen [this message]
2021-08-03 18:02 ` Sergey Matveev
2021-08-04 2:46 ` John Goerzen
2021-08-04 12:51 ` Sergey Matveev
2021-08-04 18:54 ` Jonathan Lane
2021-08-04 19:24 ` Sergey Matveev
2021-08-04 20:16 ` Sergey Matveev
2021-09-02 8:59 ` Sergey Matveev