Greetings!

*** John Goerzen [2021-08-03 21:46]:
>And here I would say: let's start by meeting people where they're at and
>educating them.  It's the only way we'll be able to spread.

And that is the chicken and egg problem :-). For example I am not on any
popular social networks, I forbid using JavaScript in the browser,
proprietary formats and so on, so on and on. Can cypherpunk, as an
example, be on Facebook with his iPhone? I think not. But I agreed that
often it is the only way to reach the people. Personally I won't go on
compromise and let myself allow anti-cypherpunks technologies usage. For
example I respect Stallman, who just stops the record and go away, if
noone will guarantee him that it will be available under free formats. I
am rather stubborn principal person and it is easier for me to bury some
of my wishes (like spreading the knowledge of cryptography basics), than
to reconcile myself with something unallowable (from my point of view),
because I definitely won't respect myself from that point. I would quit
the job if one will pressure me using Microsoft Word document formats. I
had some troubles in the institute (but solved them!), forbidding to use
any kind of proprietary software. I know that now there is no way to
chat (and make relationships) with the girls, because of their closed
proprietary vendor-locked-in smartphone ecosystems, they only used to
use :-). Life is harder because of that, but my principles, the fact
that I truly tend to follow the ideas I really believe, are more
important for me.

>Interesting.  I have been meaning to get involved with Gemini for quite some
>time.

I just read about it, but actually because of *forced* TLS usage I do
not like that project. It just forces me to do something very
inefficient and lame when I use IPsec, isolated LAN, localhost. Why do
not they use Noise, that is much much more simpler even than TLS 1.3
(very simplified version, comparing to TLS 1.2)? I understand that it is
because of TLS-libraries availability, but the same reason can be
applied to HTTP/WWW -- they are already existing too. Basically Gemini
even answers that in the FAQ: when you see "gemini://" you expect to see
no advertisements and similar junk. But who forbids including them in
Gemini pages, in Gopher pages? The fact that people who run Gemini are
not interested in that? That is not an acceptable answer and reason for me.
But that is completely different story :-). Gopher is no way worse than
Gemini in my opinion, except the only fact, that its RFC does not
explicitly allow sending of UTF-8.

>[...]
>But what governments do is not the same as what people do.  I have been a
>supporter of EFF for a very long time (decades).  They are the good guys
>here.

Completely agreed with everything said above. I also supported (with
money) EFF and very respect many people behind that organization. But...
EFF changed drastically over time. Possibly I changed much especially
for the last decade :-). But then EFAIL issue appeared (https://efail.de/)
EFF massively spread information that the whole OpenPGP ecosystem is so
bad, that it should not be used at all, better to use Signal.
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
(this is slightly updated article, mentions patches and fixes)
OpenPGP is far from being ideal, perfect, having good (simple!) design,
but it is still the only way to use strong serious cryptography on most
systems (GnuPG was often installed out-of-box in most GNU/Linux
distributions)! And EFF calls to abandon it. With the "Signal"
suggestion as a replacement. "Signal" without any doubts is the best
tool among WhatsApp/Telegram/Viber/do-not-know-what-people-also-use, but
it still uses cellphone binding, that is *completely* unacceptable for
me and it is the reason I can not frankly recommend it (I do not say "I
do not recommend it", I just do not say about it at all). EFF
cypherpunks values has changed? They think that every person has the
cellphone? That it is acceptable to think that everybody definitely has
it? I can not agree with that. Moreover, how can they tell about
WhatsApp usage? https://ssd.eff.org/module-categories/tool-guides
Seriously? No, this is not the same organization I supported before. We
have very different values and acceptable criteria.

Possibly that I am just radically changed over the years. Several years
before I run 100Mbps Tor exit node. That was DoSed many times from
China. I had several conversations with our police forces, including
international complaints about actions from my node. But I believed that
anyway I did a right thing, obviously nothing harmful. Nowadays I
completely against Tor, at least because of the fact, that it has
centralized routers database completely driven by/from US again. And
there were several memorable censorship occasions by Tor's "rulers"
(operators of that database), like that one
https://www.mail-archive.com/tor-relays@lists.torproject.org/msg11947.html
That slightly fears myself, but I really in solidarity with that
thoughts: https://withblue.ink/2020/11/12/maybe-we-shouldnt-want-a-fully-decentralized-web.html
Some sentences from it I became very agreed with:

    [...] and I am now a proponent of the idea that just because
    something can be built, it doesn’t mean it should be built.

    I have seen, and I am seeing every day, the dangers of completely
    unrestricted speech, and I don’t want to be the one enabling that.

    [...] your freedom of speech isn’t my obligation to enable you and
    give you a platform.

    I think that while the Internet has helped the world in countless of
    ways, it has also brought out the worst in people.

And Tor, being centralizingly controlled from US, for me is actually the
communication channel for supporting opposition and destabilizing forces
in many countries, including my one. I really feel the great
responsibility for the things I run/do/create/support. When I support
Tor, I support valuable people, valuable and important tasks, but at the
same time I support a magnitude more people/forces that are literally
has the target of making my life worse (oppositional forces in my
country). So I do more harm by running all those Tor exit nodes.

Moxie Marlinspike told that "ecosystem is moving":
https://www.youtube.com/watch?v=Nj3YFprqAr8
Great talk! But I can not accept the fact that it is better to have
those "smart" devices with centralized auto-updating servers. It is
better to use Signal that completely plaintext SMTP messages, agreed.
But it is not the aim we (I) trying to reach. For me it is like saying
that "a brick is better for hammering the nail, than you bare hand": no
doubts, but I think that we should not think about using a brick at all,
and our first checkpoint have to be using an ordinary convenient hammer.
"Signal" is a brick here. Some cool GNUnet-driven ecosystem (for
esample) is a hammer we should wish for.

>I'm not saying that Let's Encrypt is perfect, but mere presence in the US
>doesn't constitute technical control by the US government.

Agreed. But the fact that for years all major big software companies
like Apple/Google/Microsoft removed every gratis CA, and then *suddenly*
there appeared Let's Encrypt (virtually from nowhere) that is heavily
supported by all major vendors. Who would have the most benefit, profit
and interest in single CA responsible for >70% of all websites?
Intelligence agencies without any doubts. Of course currently there is
no evidence that Let's Encrypt is compromised and is under direct
control of any of those agencies, but I really honestly can not believe
that that kind of huge CA is located under US jurisdiction and
completely independent and not compromised (from cryptographic point of
view). All US special forces history shows us that NSA/whatever can even
repack boxes with Cisco hardware, implanting hardware backdoors, than to
bury their wish of surveillance. No offence or disrespect to anybody I
have mentioned! Surveillance, intelligence, espionage is *the* job of
that kind of forces, it is what they are intended to do, they are
essential for security, defence and stability in the country (at least).
And they try to do their best. And Let's Encrypt, people behind it, its
founders -- I hope are honest people trying to do their best too. But I
just can never believe that any expected natural will of special forces,
when there is question of national security, can be prevented/denied by
"ordinary" company under their jurisdiction. Possibly that could happen
in Netherlands, Sweden, but unbelievable it could be possible in
countries like China, Russia, US.

>I've written recently, eg

Yeah, I am subscribed to your blog :-)

>aren't in a language I understand.

So do I. (kidding :-))

>So I touched on some of these issues at https://changelog.complete.org/archives/10216-the-hidden-drawbacks-of-p2p-and-a-defense-of-signal
>where I pointed out that "Signal brings encryption and privacy to meet
>people where they’re at".  I think that's really important - Signal's not
>perfect, but it provides benefits over something controlled by Facebook.

Agree with that points. But possibly I just want too much at once: want
only either to jump or to stand without moving, throwing away the
possibility to make at least some small step in the right direction.

>I specifically put a non-https link in the message

So do I, not forcing HTTPS, but allowing users to make their own decision.

>and browsers are "upgrading" to https opportunistically

And I would say that before that behaviour, when using HTTP, when
visiting russian website from russian city -- no traffic went to
US/NATO. And since force HTTPS, with Let's Encrypt, and with all of that
forced DNS-over-TLS/HTTPS, much traffic with at least metadata goes to
foreign countries now. Of course this is some kind of conspiracy theory,
but technically with all that HTTPS, DoH, DoT -- much metadata is leaked
"outside" :-)

>Would you object if I set up something like nncp.mirrors.quux.org or some
>such, with a TLS cert?  I'm not sure if that's a good plan or not, yet, or
>really how big a deal this is

I have nothing against. I can add a link to your mirror of course. Can
enable WebDAV or rsync to simplify mirroring, if you do not want to
rebuild documentation from sources.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF