Re: Website TLS certificates

public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed

From: John Goerzen <jgoerzen@complete•org>
To: Sergey Matveev <stargrave@stargrave•org>
Cc: nncp-devel@lists.cypherpunks.ru
Subject: Re: Website TLS certificates
Date: Tue, 03 Aug 2021 10:58:13 -0500	[thread overview]
Message-ID: <8735rqy0yy.fsf@complete.org> (raw)
In-Reply-To: <YPh2cwRlnbZ/JVE+@stargrave.org>

On Wed, Jul 21 2021, Sergey Matveev wrote:

> *** Jonathan Lane [2021-07-21 18:47]:
>>Is there a plan to get proper SSL certificates for the website? 
>>I can't
>>access them from either w3m or Firefox on my machine because of 
>>trust
>>issues.
>
> I do not know any free CAs that are both can by trusted by me 
> and major
> OS/browser vendors. And definitely won't play in those business 
> (not
> security) games. Major OS/browser vendors, being US-based,  were 
> forced
> to reject/remove all free CAs that are not under USA/NATO 
> control to
> create their own one (Let's Encrypt) under "proper" 
> jurisdiction. Great
> and very clever move indeed, because now the most part of the 
> Web is
> authenticated by single centralized USA/NATO-control entity.

Hi Sergey,

So just today I had an exchange here, with a person wondering why 
the TLS for a thing that's all about encryption is broken.  You 
can find it here: 
https://floss.social/web/statuses/106691934299110939

The person I was corresponding with wrote, "With the cost of TLS 
certs being free, why would your group not encrypt?  Your group is 
all about encryption!"  This was AFTER I sent him a link to your 
post in the NNCP archives.

> * Paid ones -- no way. They are not about security, but 
> business.
> * Let's Encrypt -- clearly it can be used for authentication 
> forging.
>   So why bother? Encryption could be done anyway.

I'm not familiar with this problem with Let's Encrypt (and would 
be happy to learn more).

I have been using it for some years now with good success.

As for "why bother", I think we can recognize that TLS with Let's 
Encrypt does provide some measure of improvement, even if 
imperfect.

But the more important reason is: if we're looking to build 
something that attracts security-conscious people, it's big 
perception problem when it LOOKS like "the project can't even 
configure TLS for their website correctly".  It leads to a lack of 
trust from people that could really benefit from NNCP.

To be honest, when I was first looking into NNCP, that put me off 
as well.  I eventually got past that, obviously, but not everyone 
may.

How can I help?

If you don't want to run Let's Encrypt yourself, perhaps I could:

- Operate a mirror of www.nncpgo.org that does support TLS (that 
  would be pretty easy, probably, since it's just built out of the 
  source tree)

- Work with others to raise funds cover the cost of a TLS cert 
  from a vendor you trust (especially if it's not too expensive)

I really want to make sure barriers to entry are low of people to 
get involved!

- John

next prev parent reply	other threads:[~2021-08-03 15:59 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13   ` John Goerzen
2021-07-21 19:32   ` Website TLS certificates Sergey Matveev
2021-08-03 15:58     ` John Goerzen [this message]
2021-08-03 18:02       ` Sergey Matveev
2021-08-04  2:46         ` John Goerzen
2021-08-04 12:51           ` Sergey Matveev
2021-08-04 18:54             ` Jonathan Lane
2021-08-04 19:24               ` Sergey Matveev
2021-08-04 20:16               ` Sergey Matveev
2021-09-02  8:59     ` Sergey Matveev