Greetings!

*** John Goerzen [2021-08-03 10:58]:
>The person I was corresponding with wrote, "With the cost of TLS certs being
>free, why would your group not encrypt?  Your group is all about
>encryption!"

I completely agree that there is no reason not to encrypt (everything).
But my concerns are all about authentication.

>As for "why bother", I think we can recognize that TLS with Let's Encrypt
>does provide some measure of improvement, even if imperfect.

If it brings an *illusion* of security, than it hurts much more than
gives any positive things. When you clearly understand the insecurity of
the channel, then you make proper good risks evaluation. When you are
told that you have got secure channel, but actually it is likely to be
impersonated with trusted man-in-the-middle (untrusted Let's Encrypt CA),
then hardly you can evaluate your risks.

Channel is encrypted -- good. But if you do not know precisely to whom
you have got that channel -- there is not much value in the encryption
by its own.

I remind that all websites like www.nncpgo.org, www.cypherpunks.ru and
dozens of others -- have TLS. If you want encryption, just point your
software to use HTTPS protocol. If you want authentication, then we have
to find the common gratis trust anchor. Currently there is no such, even
CACert.org, that I trust much more, is included only in minor (by
popularity) distributions.

>But the more important reason is: if we're looking to build something that
>attracts security-conscious people, it's big perception problem when it
>LOOKS like "the project can't even configure TLS for their website
>correctly".  It leads to a lack of trust from people that could really
>benefit from NNCP.

I doubt people thinking about TLS are really security conscious. Most
people do not know difference between encryption and authentication.
Most people have never thought about trust anchors and who *they* are
really trust and who decided that *they* trust some of the company they
have never heard of before among the dozens/hundreds preinstalled on
their operating system.

If somebody thinks that "TLS is good and secure" and he throws some
software off because he does not see "TLS", but some strange unseen
before "Noise"... well, I am honestly not sad about the fact that most
people have not enough education to make security evaluations. That
people just do not deserve security (some kind of).

Let be honest: there is "world"/ecosystem spread and created by
businessmen, where WhatsApp or even Telegram are considered secure
system, like the presence of "https://" in URL field, or signature on
the executable made by Microsoft/Apple/Google. And there is world of
"real" serious cryptography security with PGP, Noise and similar kind of
things. If one is interested in "businessmen" security, then he should
hire and pay for antivirus protections, IDS systems, certified software
and so on. If one is interested in real security, then he have to
understand at least some cryptography-related basics.

I do not want to say that TLS sucks -- it could be very good system in
enterprise level scale, where I can trust my security/system
administrators. But at global scale level... our world always was the
area of struggle and battle between various nations and their influence,
so there just can not be single trust anchor everyone accepts. I am not
against TLS, but against global-scale PKI system, that is impossible to
be trusted.

I believe that TLS must not exist at all, because IPv6+IPsec with
"anonymous" (naked public keys, without certificates) must been taken
its place, being more elegant, more flexible, more transparent, more
efficient (encryption is done in kernel, long lived IKEv2 security
associations, unlike every time making TLS connection in userland with
all the time additional libraries (or wrappers)). But it is better
currently (until we finally move to IPv6, where all IPsec flexibility
and convenience can be met) to use TLS of course, than not to use any
kind of security measures. But that is completely different purely
technical question and idealistic world we move to with IPv6 :-)

Only the user himself must (should) make decisions whom he trusts. If he
trusts solely the single Microsoft/Apple/Mozilla/Google corporation: I
doubt he should use NNCP or all that kind of technologies, because they
do not make decisions for the user. Let's some company decide what he is
allowed to run, allowed to visit in the WWW. If user wants to control
his trust anchors, then he uses certificate pinning, trust-on-first-use
(TOFU), web-of-trust and all that kind of technologies. Gemini protocol
forces TLS usage, but exclusively with TOFU and no PKI involved (however
it is not forbidden). There was discussion why Debian does not use TLS
for package downloads: https://news.ycombinator.com/item?id=18958679
https://security.stackexchange.com/questions/53117/what-trusted-root-certification-authorities-should-i-trust
https://wiki.debian.org/SecureApt
Huge quantity of people think that "http://blablabla.onion" is insecure,
because of "http://". The same people think about insecurity of
http://h.blablabla, where "h." leads to Hyperboria overlay network made
upon cjdns and Yggdrasil. And even more people forget about possibility
of using all of that over IPsec, that is completely transparent for the
transport/application level. And most free software operating systems
rely solely on PGP or signify tools with trust anchors completely
unrelated to businessmen PKI world.

And do not forget that there is also politics and military forces,
working together with businessmen, where NOBUS (nobody but US) is
completely acceptable for security. That "world"/ecosystem has DNSSEC,
with central trust anchor. "Real" crypto world has DNSCurve, where you
control your trust anchor as you wish (you can pin them, you can create
the same global scale centralized PKI), where everything is encrypted
(unlike DNSSEC with its clearly visible plaintext)). But business do not
rule the real serious security. Business make mostly "good enough",
NOBUS-like security theatres.

Speaking of NNCP: the most crucial thing to authenticate is its
tarballs, that are OpenPGP-signed. If you want encryption: replace
"http://" with "https://". If you want authentication of the website,
together with tarballs, then you *have to* achieve the trust of my main
OpenPGP key, signed with dozens of people, including Richard M. Stallman,
which signs NNCP release keypair, DNSCurve public keys and
ca.cypherpunks.ru CA certificate itself: http://www.stargrave.org/Trust-anchor.html

Authentication is very serious question, because it easily creates
devastating illusion of security, where you can not make objective risks
evaluations. Encryption is easy, but authentication, I mean trust -- is
very hard to get.

>- Operate a mirror of www.nncpgo.org that does support TLS (that  would be
>pretty easy, probably, since it's just built out of the  source tree)

www.nncpgo.org already (since the beginning?) supports TLS. That is
authenticated by my OpenPGP key (that signed http://ca.cypherpunks.ru)
for which you can find various ways of trusting it. Another TLS site
with US/NATO controlled entity definitely won't be more secure.

>- Work with others to raise funds cover the cost of a TLS cert  from a
>vendor you trust (especially if it's not too expensive)

NNCP is a thing for the world of real crypto: PGP, DNSCurve, Noise,
manual trust control. No way I will wish to pay for businessmen security
theatre.

>I really want to make sure barriers to entry are low of people to get
>involved!

Then people somehow should spread the education, spread the base
cryptography-related knowledge. Everything is doomed from cryptography
security point of view, when nearly everyone trusts Telegram/WhatsApp
and closed proprietary surveillance operating system like Microsoft
Windows and Apple macOS. I tend to talk about that and spread the
knowledge, for years participating in various conferences:
http://www.stargrave.org/Talks.html Illiteracy is the main problem.
Most people (actually their Google/Apple/Mozilla/Microsoft-driven
web-browsers) will anyway complain about insecurity even when
downloading OpenPGP signed tarball from .onion over the yggdrasil, with
a bit of IPsec between home router and computer itself. But they keep
quiet if US/NATO definitely can alter authentication of most websites.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF