Re: Website TLS certificates

public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed

From: Sergey Matveev <stargrave@stargrave•org>
To: nncp-devel@lists.cypherpunks.ru
Subject: Re: Website TLS certificates
Date: Wed, 4 Aug 2021 22:24:49 +0300	[thread overview]
Message-ID: <YQrpgUOqyqeGyO1S@stargrave.org> (raw)
In-Reply-To: <20210804185426.nfu5me4ab7ssfq7r@faeroes.freeshell.org>

[-- Attachment #1: Type: text/plain, Size: 4626 bytes --]

*** Jonathan Lane [2021-08-04 18:54]:
>No, the fact that Gemini and Gopher are single-request-per-page
>protocols.  Dynamic hotloaded web style ads are fundamentally impossible.
>The worst you could get on Gemini is first-party sponsored content.

Ability to fetch multiple documents at once does not force anyone to do
it, especially for doing it for advertisement and similar junk.
Everything is in hands of the authors. If author decides to show
advertisement, then he can make it anyway, even in Gemini, even in Gopher.

>Everyone DOES have a smartphone in the US, statistically speaking.

That is very sad. So EFF and people seek ways how to live "securely"
with "personal surveillance devices, aimed to run various non-free
software automatically downloaded from some servers over the network".
For me this is completely ridiculous task, obviously. Seems that is why
I completely ignorant now to EFF, trying to help that kind of people.

>Protip: 99% of the English-speaking people saying/writing this are just
>asshurt that the political right wing finally figured out how to use
>FOSS, cryptography, etc.  They're trying to return to a Soviet-style
>world where only the political left has any kind of infosec capability.

I do not remember what left/right wings means (I just know that there is
that kind of separation), but if all of that means that author's article
is about Soviet-style, then nothing strange that I came up to this too,
being born in USSR, being citizen of Russia, supporting software and
tripping to Iran, Syria, working in one of federal security companies :-)

>agency is going to interfere with a TLS CA like Let's Encrypt, the
>threat posed by that is that they can silently MITM a website like
>NNCPGo.org.

Exactly.

>They can do that right now anyways due to plaintext HTTP.

Also true.

>Either the tarball signature matches, or it doesn't, and website HTTPS
>doesn't change that

Indeed.

>What it does change, as John mentioned, is
>reputation.  I passed up on using NNCP for over a year until I saw it
>mentioned on his blog specifically because it looked like a classic
>malware profile from an American perspective: unknown software from
>Russia delivered without a certificate or with an untrusted one.  If
>your goal is to spread adoption, there needs to be some HTTPS mirror,
>whether hosted by you or someone else.

If the world where everyone DOES have the smartphone requires you to use
some US/NATO (because major software vendors, currently located in
US/NATO, forbids anyone else, who is gratis -- we all know that
everything is about business, not security) service, then no, thank
you -- I really do not want to gain that kind of reputation. If people
evaluate software by looking at who is signed its website... well, let
they go their own way. If people are really in need of funny pictures
with very loud words about security, then Telegram is their choice. And
I see that exactly that kind of thing is happening. I have never wanted
and tried to compete with the professional sales and marketing managers
(this is just silly).

>it's too hard for people to bring their non-technical friends along they
>won't bother, because their conversations with those friends will still
>be on the insecure platform.

Agreed. But that also means that actually none of this people want
security/privacy at all. They just do not want to "pay" (possibly by
some inconvenience) anything for that. So why bother trying to secure
them? Not the target audience.

>Signal is easy for those non-technical people to use.

But hardly anyone will see his friends moving from WhatsApp to Signal.
Either user uses only the single WhatsApp, or he uses two applications,
for two groups of people. All new contacts will anyway appear in
WhatsApp (Telegram, whatever). Or am I wrong, as with thinking that
there people without smartphones in the Western world?

>Matrix with forced e2e OLM based crypto might be another
>good option some day once the clients and servers mature a bit.

I could believe that people can move all their contacts to Signal, but
would never believe that federated (or distributed, whatever) service
can compete with quality of service of centralized services, which can
even afford lending of communication links for lower delays and
anycasted distributed hops. If people are already wearing and using
portable surveillance devices, then everything is already doomed.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2021-08-04 19:24 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13   ` John Goerzen
2021-07-21 19:32   ` Website TLS certificates Sergey Matveev
2021-08-03 15:58     ` John Goerzen
2021-08-03 18:02       ` Sergey Matveev
2021-08-04  2:46         ` John Goerzen
2021-08-04 12:51           ` Sergey Matveev
2021-08-04 18:54             ` Jonathan Lane
2021-08-04 19:24               ` Sergey Matveev [this message]
2021-08-04 20:16               ` Sergey Matveev
2021-09-02  8:59     ` Sergey Matveev