public inbox for
Atom feed
From: John Goerzen <jgoerzen@complete•org>
To: Sergey Matveev <stargrave@stargrave•org>
Subject: Re: Website TLS certificates
Date: Tue, 03 Aug 2021 21:46:37 -0500	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Tue, Aug 03 2021, Sergey Matveev wrote:

> Greetings!

Good evening / morning!

Thank you for your very thoughtful response.  I understand where 
you are coming from a lot better (and I had misunderstood what 
kind of authentication you meant previously).  I think we are in 
pretty close agreement technically, but differ tactically.  That's 
fine.  I'll reply to a few bits here, but I did read the whole 

>>As for "why bother", I think we can recognize that TLS with 
>>Let's Encrypt
>>does provide some measure of improvement, even if imperfect.
> If it brings an *illusion* of security, than it hurts much more 
> than
> gives any positive things. When you clearly understand the 
> insecurity of


> Channel is encrypted -- good. But if you do not know precisely 
> to whom
> you have got that channel -- there is not much value in the 
> encryption
> by its own.

Right, hence the WoT (or attempts at it) in various flavors.

> If somebody thinks that "TLS is good and secure" and he throws 
> some
> software off because he does not see "TLS", but some strange 
> unseen
> before "Noise"... well, I am honestly not sad about the fact 
> that most
> people have not enough education to make security evaluations. 
> That
> people just do not deserve security (some kind of).

And here I would say: let's start by meeting people where they're 
at and educating them.  It's the only way we'll be able to spread.

> (TOFU), web-of-trust and all that kind of technologies. Gemini 
> protocol
> forces TLS usage, but exclusively with TOFU and no PKI involved 
> (however
> it is not forbidden). There was discussion why Debian does not 
> use TLS

Interesting.  I have been meaning to get involved with Gemini for 
quite some time.

> Speaking of NNCP: the most crucial thing to authenticate is its
> tarballs, that are OpenPGP-signed. If you want encryption: 
> replace

Absolutely agreed, and I did point this out to the correspondent 
in the conversation I linked.  I also pointed out to them that the 
entire website content is in the release tarballs.

> Authentication is very serious question, because it easily 
> creates
> devastating illusion of security, where you can not make 
> objective risks
> evaluations. Encryption is easy, but authentication, I mean 
> trust -- is
> very hard to get.


>>- Operate a mirror of that does support TLS (that 
>>would be
>>pretty easy, probably, since it's just built out of the  source 
> already (since the beginning?) supports TLS. That 
> is

I misspoke; I should have said "TLS with a cert that validates on 
most browsers".

> authenticated by my OpenPGP key (that signed 
> for which you can find various ways of trusting it. Another TLS 
> site
> with US/NATO controlled entity definitely won't be more secure.

I just wanted to say something here...  There are also a lot of 
Americans and Europeans that have negative stereotypes of the 
security of Russian software.  I won't repeat them here because I 
don't like stereotypes.

Fundamentally every government is flawed.  There is a whole 
off-topic conversation one could have about the different ways 
they are and which are more than others, but I think the bottom 
line is there's no perfect government on earth.  I live in the USA 
and I am plenty involved in activism to make things better here. 
Europe is currently discussing expanded domestic surveillance 
laws.  We have to be vigilant everywhere.

But what governments do is not the same as what people do.  I have 
been a supporter of EFF for a very long time (decades).  They are 
the good guys here.  They fought to make strong encryption legal 
in the USA back when that was a murky area, have fought against 
surveillance, have fought to protect people's privacy, encryption, 
and so forth in a whole host of areas for a very long time.  They 
are one of the champions behind Let's Encrypt.  Again, I'm not 
saying that Let's Encrypt is perfect, but mere presence in the US 
doesn't constitute technical control by the US government.  EFF is 
not a friend of the government - heck, John Gilmore was one of the 
founders and has repeatedly sued the US government - and it isn't 
logical to assume that EFF/ISRG is compromised on the basis of its 
location in the US.  In fact, a source of some strength (and also, 
it must be said, some problems, since it is more difficult to 
regulate) is the high degree of protection US entities have from 
government interference.

>>I really want to make sure barriers to entry are low of people 
>>to get
> Then people somehow should spread the education, spread the base
> cryptography-related knowledge. Everything is doomed from 
> cryptography
> security point of view, when nearly everyone trusts 
> Telegram/WhatsApp
> and closed proprietary surveillance operating system like 
> Microsoft
> Windows and Apple macOS. I tend to talk about that and spread 
> the

Oh I am in absolute agreement there.  I've written recently, eg, 
(which highlights NNCP several times).

> knowledge, for years participating in various conferences:
> Illiteracy is the main 
> problem.

I've seen that page, and several look very interesting, but 
unfortunately aren't in a language I understand.

So I touched on some of these issues at 
where I pointed out that "Signal brings encryption and privacy to 
meet people where they’re at".  I think that's really important - 
Signal's not perfect, but it provides benefits over something 
controlled by Facebook.

> Most people (actually their 
> Google/Apple/Mozilla/Microsoft-driven
> web-browsers) will anyway complain about insecurity even when
> downloading OpenPGP signed tarball from .onion over the 
> yggdrasil, with
> a bit of IPsec between home router and computer itself. But they 
> keep

Hah!  And Ouch.

So fundamentally, I want to send a message that "you can trust 
NNCP".  The reality of meeting people where we are is that people 
are getting a browser warning from  I specifically put 
a non-https link in the message that was replied to, and browsers 
are "upgrading" to https opportunistically, then warning (and even 
warning on plain http sometimes).

Would you object if I set up something like 
or some such, with a TLS cert?  I'm not sure if that's a good plan 
or not, yet, or really how big a deal this is (I don't want one 
conversation to color it too much), but I think it is a perception 
issue related to getting people in the door.

- John

  reply	other threads:[~2021-08-04  2:47 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13   ` John Goerzen
2021-07-21 19:32   ` Website TLS certificates Sergey Matveev
2021-08-03 15:58     ` John Goerzen
2021-08-03 18:02       ` Sergey Matveev
2021-08-04  2:46         ` John Goerzen [this message]
2021-08-04 12:51           ` Sergey Matveev
2021-08-04 18:54             ` Jonathan Lane
2021-08-04 19:24               ` Sergey Matveev
2021-08-04 20:16               ` Sergey Matveev
2021-09-02  8:59     ` Sergey Matveev