|
salt fish u dumb
|
# ? Nov 19, 2014 02:18 |
|
|
# ? May 16, 2024 07:32 |
|
we're complaining because TLS is a fuckshow and OpenSSL is a platorm for fuckheads selling FIPS certification services to make a name for themselves first and actually implementing a robust security protocol second a huge gang of CAs who "take your security very seriously" and may or may not have ties to the United States or Chinese government intelligence services is also not ideal. Though I suppose replacing it by One Key To Rule Them All in the form of DNSSEC is probably not an improvement.
|
# ? Nov 19, 2014 02:19 |
|
Mr Dog posted:we're complaining because TLS is a fuckshow and OpenSSL is a platorm for fuckheads selling FIPS certification services to make a name for themselves first and actually implementing a robust security protocol second isn't the DNSSEC master signing key distributed through 7 people or something
|
# ? Nov 19, 2014 02:21 |
|
hey salt fish what is your opinion on perfect forward secrecy, and secondly SNI, and their cost/benefit for the overall security of self-signed certificates.
|
# ? Nov 19, 2014 02:21 |
|
Captain Foo posted:salt fish u dumb Bruce Schnier and Poul-Henning Kamp are on my side and the NSA is on yours so I think perhaps I am right.
|
# ? Nov 19, 2014 02:22 |
|
nice appeal to authority fuCker
|
# ? Nov 19, 2014 02:23 |
|
but guess what: ur fuckin wrong and all the browsers are right
|
# ? Nov 19, 2014 02:23 |
|
pram posted:nice appeal to authority fuCker An appeal to authority is only a fallacy when the person isn't actually an authority. https://www.youtube.com/watch?v=fwcl17Q0bpk&t=897s
|
# ? Nov 19, 2014 02:24 |
|
Salt Fish posted:Bruce Schnier and Poul-Henning Kamp are on my side and the NSA is on yours so I think perhaps I am right. those self signed certs make it impossible for the NSA to get your data
|
# ? Nov 19, 2014 02:24 |
|
Salt Fish posted:An appeal to authority is only a fallacy when the person isn't actually an authority. my authority is all the browsers in existence
|
# ? Nov 19, 2014 02:25 |
|
Salt Fish posted:An appeal to authority is only a fallacy when the person isn't actually an authority. i think you'll find it could still be a fallacy if you are wrong (which you are)
|
# ? Nov 19, 2014 02:25 |
|
bobbilljim posted:those self signed certs make it impossible for the NSA to get your data The point is that *nothing* makes it impossible for the NSA to get your data. You can only increase the cost of getting your data.
|
# ? Nov 19, 2014 02:26 |
|
christ no one is talking about ssl to secure themselves from the nsa
|
# ? Nov 19, 2014 02:27 |
|
.
Sassafras fucked around with this message at 00:51 on Nov 25, 2014 |
# ? Nov 19, 2014 02:29 |
|
Salt Fish posted:The point is that *nothing* makes it impossible for the NSA to get your data. You can only increase the cost of getting your data. so you want to waste your tax dollars or what
|
# ? Nov 19, 2014 02:29 |
|
pram posted:christ no one is talking about ssl to secure themselves from the nsa The NSA's stated goal (publicly stated) is to collect all internet communications. One of their publicly stated methods of doing this is by undermining encryption and encouraging the use of cleartext. SSL directly undermines their ability to do this.
|
# ? Nov 19, 2014 02:30 |
|
i watched that video for like 1 minute from wherever you started it and that guy is right in one very specific edge case scenario only, that yes, if i am at starbucks and you are at starbucks and if you talk to a website with a self signed cert, correct, it will be encrypted from me instead of cleartext for me. leaving the NSA out of this because they can probably already break most common encryptions and if they cant they probably have a backdoor in that minute though he was only focused on that one aspect, and conveniently leaves out all the 8235962835923 bad reasons why having a browser implicitly trust a self signed cert is a horrible idea
|
# ? Nov 19, 2014 02:30 |
|
Salt Fish posted:The NSA's stated goal (publicly stated) is to collect all internet communications. One of their publicly stated methods of doing this is by undermining encryption and encouraging the use of cleartext. SSL directly undermines their ability to do this. yes and unsigned certs are still bad for websites
|
# ? Nov 19, 2014 02:31 |
|
bobbilljim posted:so you want to waste your tax dollars or what I think this may already be happening. I like the idea of EFF providing certs mostly because it makes it affordable to the global poor, aside from CAs being a racket. A few hundred bucks isn't much to most of us but it's a lot if you make a few grand a year.
|
# ? Nov 19, 2014 02:31 |
|
Salt Fish posted:Bruce Schnier and Poul-Henning Kamp are on my side and the NSA is on yours so I think perhaps I am right. https://www.schneier.com/blog/archives/2014/11/a_new_free_ca.html
|
# ? Nov 19, 2014 02:32 |
|
Sassafras posted:DANE's getting no traction so far because of the chicken & egg problem of "nothing uses it / nothing supports it", where the latter is because browser vendors have learned to care about attack surface. I think Chrome and Mozilla would both add it pretty fast if they had any reason to. huh. well idk maybe use network notaries instead then, what's the current thinking on those? but TLS still needs to be pared the gently caress down and replaced with something that doesn't involve X.509 and all the other useless poo poo in there
|
# ? Nov 19, 2014 02:32 |
|
PROS: Might make the NSA's job harder by 20% to get your data if they are interested in it CONS: Every grandma who clicks a link in a email and gets a site "and it says citi-bank.com right there, green shield and all, where did all my money go?" "grandma no that dash it's not citi-bank.com its citibank.com you need to look for" "why do they make this so hard?"
|
# ? Nov 19, 2014 02:33 |
|
pram posted:lol self signed certs arent the answer. theyre already making a free CA anyway pram posted:lol self signed certs arent the answer. theyre already making a free CA anyway pram posted:lol self signed certs arent the answer. theyre already making a free CA anyway
|
# ? Nov 19, 2014 02:33 |
|
ya. if that chain root ever makes it into one of my keystores i'm deleting it immediately.
|
# ? Nov 19, 2014 02:35 |
|
|
# ? Nov 19, 2014 02:36 |
|
muh artisanal certs
|
# ? Nov 19, 2014 02:37 |
|
Sniep posted:PROS: Might make the NSA's job harder by 20% to get your data if they are interested in it That isn't how the NSA collection programs work. They don't have to target you or "want it" they automatically collect it by virtue of it being cleartext. They keep a list of every site you visit in cleartext for example. These lists are kept for multiple months and if you are on a list, for example by googling for tor or tails, then they keep it forever. Also, your grandma is going to fall victim to cleartext phishing if anything. Every phishing site I've basically ever seen (and I used to admin reseller servers so that is in the hundreds) has used cleartext. Probably 99% of phishing sites use cleartext.
|
# ? Nov 19, 2014 02:37 |
|
i kind of like the difference between assuming I can't trust the site, assuming someone is impersonating the site, and assuming the site is secure but that's me
|
# ? Nov 19, 2014 02:38 |
|
Salt Fish posted:That isn't how the NSA collection programs work. They don't have to target you or "want it" they automatically collect it by virtue of it being cleartext. They keep a list of every site you visit in cleartext for example. none of this makes self signed certs good
|
# ? Nov 19, 2014 02:38 |
|
youre moving the loving goal posts and pretending everyone said 'SSL IS BAD'
|
# ? Nov 19, 2014 02:39 |
|
Salt Fish posted:Probably 99% of phishing sites use cleartext. right and that's because currently there's no way they can cheat out a "secure site" tell me and tell me honestly you think fraud would go DOWN when all the people trained with the badge now see the badge and go thru with it, because now it's not plaintext and plaintext gets a Big Red X
|
# ? Nov 19, 2014 02:40 |
|
pram posted:none of this makes self signed certs good If I connect to web servers via self-signed certs the NSA cannot automatically record which domains I visited without doing a MITM attack which to my knowledge they are unable to automate. How is that moving goal posts? I'm still harping on cleartext < self-signed < signed.
|
# ? Nov 19, 2014 02:40 |
|
Sniep posted:right and that's because currently there's no way they can cheat out a "secure site" There isn't a badge. You're inventing a badge. Its a strawman UI design that I'm not going to defend. Interestingly enough your strawman indicates that you understand that browser UI can communicate security to people. Right now they're communicating that cleartext is fine and that isn't okay.
|
# ? Nov 19, 2014 02:41 |
|
Salt Fish posted:If I connect to web servers via self-signed certs the NSA cannot automatically record which domains I visited without doing a MITM attack which to my knowledge they are unable to automate. How is that moving goal posts? I'm still harping on cleartext < self-signed < signed. because self signed certs are not secure
|
# ? Nov 19, 2014 02:42 |
|
what if. hold on to your hats. its not the NSA doing the MITM, but the person who signed the cert!!!!!!
|
# ? Nov 19, 2014 02:42 |
|
Salt Fish posted:If I connect to web servers via self-signed certs the NSA cannot automatically record which domains I visited without doing a MITM attack which to my knowledge they are unable to automate. How is that moving goal posts? I'm still harping on cleartext < self-signed < signed. pretty sure they just go to your ISP for this
|
# ? Nov 19, 2014 02:43 |
|
How does an automated CA prevent against me signing up for a cert for citibank.com
|
# ? Nov 19, 2014 02:44 |
|
Suspicious Dish posted:How does an automated CA prevent against me signing up for a cert for citibank.com I would guess that they plan on having you confirm that you own the domain before giving you a cert. So if it were automated, you'd get one when registering the domain. If you already have it they'd probably have you drop a file on the server or likewise.
|
# ? Nov 19, 2014 02:46 |
|
Salt Fish posted:There isn't a badge. You're inventing a badge. Its a strawman UI design that I'm not going to defend. it's a UI convention that is widely accepted and supported that shows the validity of a certificate chain to a trusted root. it's what helps reduce fraud by a ton. it's not perfect but it's a hell of a lot better than "feeling secure using a browser" when that browser shows you in that UI that it trusts explicitly that joe.com actually is joe.com regardless of if the people whose job it is and their entire business - their reputation, is on the line to swear that joe owns joe.com say so, and i could be joe.com if i signed a cert saying so. i should show up like i have a verisign vouched cert when *I* want to be chase.com bankofamerica.com and wellsfargo.com all in the same night! I mean i dont have a verisign cert, but i should show up to users like i do!
|
# ? Nov 19, 2014 02:46 |
|
|
# ? May 16, 2024 07:32 |
|
here u go https://letsencrypt.org/howitworks/technology/
|
# ? Nov 19, 2014 02:46 |