public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed
From: John Goerzen <jgoerzen@complete•org>
To: Sergey Matveev <stargrave@stargrave•org>
Cc: nncp-devel@lists.cypherpunks.ru
Subject: Re: Website TLS certificates
Date: Tue, 03 Aug 2021 21:46:37 -0500 [thread overview]
Message-ID: <87o8aevsdu.fsf@complete.org> (raw)
In-Reply-To: <YQmE23ZgfbPc5Mpn@stargrave.org>
On Tue, Aug 03 2021, Sergey Matveev wrote:
> Greetings!
Good evening / morning!
Thank you for your very thoughtful response. I understand where
you are coming from a lot better (and I had misunderstood what
kind of authentication you meant previously). I think we are in
pretty close agreement technically, but differ tactically. That's
fine. I'll reply to a few bits here, but I did read the whole
thing!
>>As for "why bother", I think we can recognize that TLS with
>>Let's Encrypt
>>does provide some measure of improvement, even if imperfect.
>
> If it brings an *illusion* of security, than it hurts much more
> than
> gives any positive things. When you clearly understand the
> insecurity of
Agreed.
> Channel is encrypted -- good. But if you do not know precisely
> to whom
> you have got that channel -- there is not much value in the
> encryption
> by its own.
Right, hence the WoT (or attempts at it) in various flavors.
> If somebody thinks that "TLS is good and secure" and he throws
> some
> software off because he does not see "TLS", but some strange
> unseen
> before "Noise"... well, I am honestly not sad about the fact
> that most
> people have not enough education to make security evaluations.
> That
> people just do not deserve security (some kind of).
And here I would say: let's start by meeting people where they're
at and educating them. It's the only way we'll be able to spread.
> (TOFU), web-of-trust and all that kind of technologies. Gemini
> protocol
> forces TLS usage, but exclusively with TOFU and no PKI involved
> (however
> it is not forbidden). There was discussion why Debian does not
> use TLS
Interesting. I have been meaning to get involved with Gemini for
quite some time.
> Speaking of NNCP: the most crucial thing to authenticate is its
> tarballs, that are OpenPGP-signed. If you want encryption:
> replace
Absolutely agreed, and I did point this out to the correspondent
in the conversation I linked. I also pointed out to them that the
entire website content is in the release tarballs.
> Authentication is very serious question, because it easily
> creates
> devastating illusion of security, where you can not make
> objective risks
> evaluations. Encryption is easy, but authentication, I mean
> trust -- is
> very hard to get.
Agreed.
>
>>- Operate a mirror of www.nncpgo.org that does support TLS (that
>>would be
>>pretty easy, probably, since it's just built out of the source
>>tree)
>
> www.nncpgo.org already (since the beginning?) supports TLS. That
> is
I misspoke; I should have said "TLS with a cert that validates on
most browsers".
> authenticated by my OpenPGP key (that signed
> http://ca.cypherpunks.ru)
> for which you can find various ways of trusting it. Another TLS
> site
> with US/NATO controlled entity definitely won't be more secure.
I just wanted to say something here... There are also a lot of
Americans and Europeans that have negative stereotypes of the
security of Russian software. I won't repeat them here because I
don't like stereotypes.
Fundamentally every government is flawed. There is a whole
off-topic conversation one could have about the different ways
they are and which are more than others, but I think the bottom
line is there's no perfect government on earth. I live in the USA
and I am plenty involved in activism to make things better here.
Europe is currently discussing expanded domestic surveillance
laws. We have to be vigilant everywhere.
But what governments do is not the same as what people do. I have
been a supporter of EFF for a very long time (decades). They are
the good guys here. They fought to make strong encryption legal
in the USA back when that was a murky area, have fought against
surveillance, have fought to protect people's privacy, encryption,
and so forth in a whole host of areas for a very long time. They
are one of the champions behind Let's Encrypt. Again, I'm not
saying that Let's Encrypt is perfect, but mere presence in the US
doesn't constitute technical control by the US government. EFF is
not a friend of the government - heck, John Gilmore was one of the
founders and has repeatedly sued the US government - and it isn't
logical to assume that EFF/ISRG is compromised on the basis of its
location in the US. In fact, a source of some strength (and also,
it must be said, some problems, since it is more difficult to
regulate) is the high degree of protection US entities have from
government interference.
>>I really want to make sure barriers to entry are low of people
>>to get
>>involved!
>
> Then people somehow should spread the education, spread the base
> cryptography-related knowledge. Everything is doomed from
> cryptography
> security point of view, when nearly everyone trusts
> Telegram/WhatsApp
> and closed proprietary surveillance operating system like
> Microsoft
> Windows and Apple macOS. I tend to talk about that and spread
> the
Oh I am in absolute agreement there. I've written recently, eg,
https://changelog.complete.org/archives/10205-roundup-of-secure-messengers-with-off-the-grid-capabilities-distributed-mesh-messengers
and
https://changelog.complete.org/archives/10231-recovering-our-lost-free-will-online-tools-and-techniques-that-are-available-now
(which highlights NNCP several times).
> knowledge, for years participating in various conferences:
> http://www.stargrave.org/Talks.html Illiteracy is the main
> problem.
I've seen that page, and several look very interesting, but
unfortunately aren't in a language I understand.
So I touched on some of these issues at
https://changelog.complete.org/archives/10216-the-hidden-drawbacks-of-p2p-and-a-defense-of-signal
where I pointed out that "Signal brings encryption and privacy to
meet people where they’re at". I think that's really important -
Signal's not perfect, but it provides benefits over something
controlled by Facebook.
> Most people (actually their
> Google/Apple/Mozilla/Microsoft-driven
> web-browsers) will anyway complain about insecurity even when
> downloading OpenPGP signed tarball from .onion over the
> yggdrasil, with
> a bit of IPsec between home router and computer itself. But they
> keep
Hah! And Ouch.
So fundamentally, I want to send a message that "you can trust
NNCP". The reality of meeting people where we are is that people
are getting a browser warning from nncpgo.org. I specifically put
a non-https link in the message that was replied to, and browsers
are "upgrading" to https opportunistically, then warning (and even
warning on plain http sometimes).
Would you object if I set up something like nncp.mirrors.quux.org
or some such, with a TLS cert? I'm not sure if that's a good plan
or not, yet, or really how big a deal this is (I don't want one
conversation to color it too much), but I think it is a perception
issue related to getting people in the door.
- John
next prev parent reply other threads:[~2021-08-04 2:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13 ` John Goerzen
2021-07-21 19:32 ` Website TLS certificates Sergey Matveev
2021-08-03 15:58 ` John Goerzen
2021-08-03 18:02 ` Sergey Matveev
2021-08-04 2:46 ` John Goerzen [this message]
2021-08-04 12:51 ` Sergey Matveev
2021-08-04 18:54 ` Jonathan Lane
2021-08-04 19:24 ` Sergey Matveev
2021-08-04 20:16 ` Sergey Matveev
2021-09-02 8:59 ` Sergey Matveev