|
Also, why are we talking about TLS instead of the fact that systemd won in Debian again. http://lwn.net/Articles/621713/
|
#
?
Nov 19, 2014 02:46
|
|
|
|
| # ? May 14, 2024 09:03 |
|
|
Suspicious Dish posted:How does an automated CA prevent against me signing up for a cert for citibank.com very carefully!!!!!
|
|
#
?
Nov 19, 2014 02:48
|
|
|
bobbilljim posted:very carefully!!!!!
|
|
#
?
Nov 19, 2014 02:49
|
|
|
Salt Fish posted:I'm still harping on cleartext < self-signed < signed. And this ordering is fundamentally wrong because the only use of self-signed in the wild is for MITM attacks. From the end-user perspective, self-signed is at best equivalent to cleartext and in reality a strong indicator that they are a victim of an attack in progress. You'd have to introduce some kind of "we know this is a self-signed cert, gently caress the NSA, amirite?" flag to the certificate's metadata to get the browser UI to merely pretend it is cleartext, and even then that's probably prone to abuse.
|
|
#
?
Nov 19, 2014 02:49
|
|
|
Sassafras posted:2015 might bring some changes here, either from Cloudflare, cloudflare is def not the answer since you literally cant tell if the source connection is encrypted or not
|
|
#
?
Nov 19, 2014 02:50
|
|
|
pseudorandom name posted:And this ordering is fundamentally wrong because the only use of self-signed in the wild is for MITM attacks. mega agreedo
|
|
#
?
Nov 19, 2014 02:50
|
|
|
pseudorandom name posted:the only use of self-signed in the wild is for MITM attacks. and, apparently, slightly inconveniencing the NSA
|
|
#
?
Nov 19, 2014 02:50
|
|
|
Suspicious Dish posted:Also, why are we talking about TLS instead of the fact that systemd won in Debian again. systemd reminds me of uac in the sense that it's trying to make people do the right thing in software design and folks unwilling to change haaaate it
|
|
#
?
Nov 19, 2014 02:51
|
|
|
pseudorandom name posted:And this ordering is fundamentally wrong because the only use of self-signed in the wild is for MITM attacks. same
|
|
#
?
Nov 19, 2014 02:52
|
|
|
well, a good use of self signed in the wild is intranet/corp poo poo where they run a CA and push the root to alt heir machines like i said earlier. but that's about it. but i digress heavily
|
|
#
?
Nov 19, 2014 02:52
|
|
|
Gazpacho posted:are the beards actually agitating for a "forced breakup" of systemd? like, they're literally trying to apply antitrust discourse to a free project? lmao bruce perens unironically advocated this, yes
|
|
#
?
Nov 19, 2014 02:54
|
|
|
what makes debian think theyre relevant enough to force the systemd devs to do anything lol
|
|
#
?
Nov 19, 2014 02:54
|
|
|
Sniep posted:well, a good use of self signed in the wild is intranet/corp poo poo where they run a CA and push the root to alt heir machines like i said earlier. but that's about it. this isn't the wild, fuckwit
|
|
#
?
Nov 19, 2014 02:55
|
|
|
Suspicious Dish posted:Also, why are we talking about TLS instead of the fact that systemd won in Debian again. oh cool
|
|
#
?
Nov 19, 2014 02:57
|
|
|
Captain Foo posted:this isn't the wild, fuckwit that isn't even self-signed, its just an additional private addition to the trusted CA list
|
|
#
?
Nov 19, 2014 02:57
|
|
|
So the entire argument against is literally "we would never be able to train the users!". It's handwaving away a technical solution because the UX is too hard. "Gosh, I just don't know how we'd make the UI, so lets just use cleartext" is actually what I'd expect from a group of OSX users and lazy programmers (IE yospos).
|
|
#
?
Nov 19, 2014 02:57
|
|
|
oval office AND PASTE posted:[*]if you can't adapt to new workflows, you are not a power user, you are inflexible and broken and no screaming of yeah, i am inflexible and i am the actual target for the linux desktop. someone who uses linux desktop software every single day and occasionally contributes bug reports and patches i am not the proverbial "aunt tillie" or a teenage dabbler who installs it long enough to take screenshots. i am an actual living, breathing user and i want my poo poo to not be broken oval office AND PASTE posted:[*]the preferences dialogs aren't gone, they're finally all in one consistent place (as long as the app is gtk3-friendly) ok how do i turn on focus follows mouse in gnome 3? oval office AND PASTE posted:[*]task lists have always sucked, there's never been a good implementation and even the major desktops who pioneered them have since replaced them with docks (long before gnome did, to be honest) lol you couldn't teach it to wash itsefl, so you just chucked out the baby with the bathwater oval office AND PASTE posted:[*]please name one thing that the design of nautilus literally prevents you from doing (that isn't "open a tab" or some other workflow-related non-blocking non-task) i was going to bitch but i just opened nautilus 3.14 and it is less broken now. not having a treeview still sucks but at least it is not fundamentally unusable a low bar to clear: it's not completely, totally useless oval office AND PASTE posted:
you made it non-discoverable AND hid all the features AND you're proud of it great work, guys you can shut the project down, now. there's nothing left to be removed or hidden from users. not even the text editor is usable
|
|
#
?
Nov 19, 2014 02:57
|
|
"but my workflow"
|
Salt Fish posted:So the entire argument against is literally "we would never be able to train the users!". It's handwaving away a technical solution because the UX is too hard. "Gosh, I just don't know how we'd make the UI, so lets just use cleartext" is actually what I'd expect from a group of OSX users and lazy programmers (IE yospos). self signed certs are not secure
|
|
#
?
Nov 19, 2014 02:58
|
|
|
pram posted:what makes debian think theyre relevant enough to force the systemd devs to do anything lol debian doesn't think so because debian is already doing the changeover idiots at the knobs who got there over years of work want to blow it all on this hill to die on because reasons
|
|
#
?
Nov 19, 2014 02:58
|
|
|
Captain Foo posted:systemd reminds me of uac in the sense that it's trying to make people do the right thing in software design and folks unwilling to change haaaate it change is intrinsically bad you need an extraordinarily good reason to force change on users
|
|
#
?
Nov 19, 2014 02:58
|
|
|
Sniep posted:well, a good use of self signed in the wild is intranet/corp poo poo where they run a CA and push the root to alt heir machines like i said earlier. but that's about it. that's not a self-signed cert
|
|
#
?
Nov 19, 2014 02:59
|
|
|
.
Sassafras fucked around with this message at 00:51 on Nov 25, 2014 |
|
#
?
Nov 19, 2014 03:00
|
|
|
pram posted:self signed certs are not secure Okay, so if I post a message encrypted with my self-signed cert you can decrypt it? Nothing is secure, there are just varying costs of breaking in. This is true for all security systems everywhere forever.
|
|
#
?
Nov 19, 2014 03:01
|
|
|
Salt Fish posted:Okay, so if I post a message encrypted with my self-signed cert you can decrypt it? the person who made the cert can
|
|
#
?
Nov 19, 2014 03:03
|
|
|
pram posted:the person who made the cert can Can you?
|
|
#
?
Nov 19, 2014 03:03
|
|
|
Notorious b.s.d. posted:that's not a self-signed cert okay okay. i just can't figure a good purpose of any self signed cert other than internal poo poo. if you want to really trust that the person who claims to be something isnt something else, you're not looking at necessarily just the tech details but who vouched for them. it's kinda like real life. "yeah im 21 sell me this beer" "lemme see your id" *sees id* "you made this, im taking this and calling the police!" "wait yes i made it but it proves im 21"
|
|
#
?
Nov 19, 2014 03:03
|
|
|
Salt Fish posted:Can you? if you were posting on my self signed secure website yes
|
|
#
?
Nov 19, 2014 03:04
|
|
|
Salt Fish posted:Okay, so if I post a message encrypted with my self-signed cert you can decrypt it? Nothing is secure, there are just varying costs of breaking in. This is true for all security systems everywhere forever. You're not posting a message encrypted with your self-signed cert idiot, you're encrypting it with my self-signed cert. Or possibly somebody else's self-signed cert, you have no way of knowing.
|
|
#
?
Nov 19, 2014 03:04
|
|
|
Suspicious Dish posted:How does an automated CA prevent against me signing up for a cert for citibank.com can your web server serve content to the public at http://citibank.com/arbitrary/cool/url ? https://letsencrypt.org/howitworks/technology/
|
|
#
?
Nov 19, 2014 03:04
|
|
|
Salt Fish posted:So the entire argument against is literally "we would never be able to train the users!". It's handwaving away a technical solution because the UX is too hard. "Gosh, I just don't know how we'd make the UI, so lets just use cleartext" is actually what I'd expect from a group of OSX users and lazy programmers (IE yospos). Salt Fish posted:Okay, so if I post a message encrypted with my self-signed cert you can decrypt it? Nothing is secure, there are just varying costs of breaking in. This is true for all security systems everywhere forever. self signed certs are worthless
|
|
#
?
Nov 19, 2014 03:07
|
|
|
no theyre good because some youtube guy said they stymie the NSA
|
|
#
?
Nov 19, 2014 03:08
|
|
|
Sniep posted:okay okay. i just can't figure a good purpose of any self signed cert other than internal poo poo. if you want to really trust that the person who claims to be something isnt something else, you're not looking at necessarily just the tech details but who vouched for them. it's kinda like real life. a self-signed cert is a certificate that is signed by the certificate's own key. every self-signed cert, anywhere, ever, is suspicious. there is no good reason, ever, for a cert to be self-signed. internal certificates are signed by a CA key, it's just not not necessarily a CA the client recognizes. this is how your internal resources might be secured. in reality it's so unpleasant to deploy internal CAs to clients, most people just suck it up and pay for public certs for use on internal-only services
|
|
#
?
Nov 19, 2014 03:09
|
|
|
Notorious b.s.d. posted:a self-signed cert is a certificate that is signed by the certificate's own key. every self-signed cert, anywhere, ever, is suspicious. there is no good reason, ever, for a cert to be self-signed. this
|
|
#
?
Nov 19, 2014 03:11
|
|
|
pram posted:no theyre good because some youtube guy said they stymie the NSA slashdotters and their ilk like to point out that self-signed certs would be useful in combination with cert pinning but that just moves the problem to dns. what the gently caress clients support secure dnssec reliably? who the gently caress publishes secure dns records?
|
|
#
?
Nov 19, 2014 03:12
|
|
|
pram posted:no theyre good because some youtube guy said they stymie the NSA "Some youtube guy" okay, you're really showing off your credentials with that one.
|
|
#
?
Nov 19, 2014 03:13
|
|
|
god u are profoundly stupid lol
|
|
#
?
Nov 19, 2014 03:13
|
|
|
dns hijacking has been a tangential part of my life for a while now that poo poo sucks
|
|
#
?
Nov 19, 2014 03:14
|
|
|
cloudflare needs a way to show that sites are strict ssl. like a header or something
|
|
#
?
Nov 19, 2014 03:18
|
|
|
Notorious b.s.d. posted:can your web server serve content to the public at http://citibank.com/arbitrary/cool/url ? With a targeted MITM, yes, I can. Also lol at relying on the authenticity of DNS records. That's going to work real well.
|
|
#
?
Nov 19, 2014 03:21
|
|
|
|
| # ? May 14, 2024 09:03 |
|
|
"Hm, let's open up an automated system that tries to verify authenticity by poking at insecure, attacker-controlled resources, and certify that. Surely we won't be targeted."
|
|
#
?
Nov 19, 2014 03:23
|
|