Community

Igorette
7 days ago from StatusNet
Why a free automated certificate authority is not the solution
The answer is simple: It's a certificate authority.

The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser http://ur1.ca/iu8qn and they gave out the privilege to issue certificates for any domain to hundreds of other organizations http://ur1.ca/iu8qo Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

Adding just yet another organization that can issue certificates for any domain only... http://ur1.ca/iu8qu
Igorette
7 days ago from pump.io
Why a free automated certificate authority is not the solution
The answer is simple: It's a certificate authority.

The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser and they gave out the privilege to issue certificates for any domain to hundreds of other organizations. Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

Adding just yet another organization that can issue certificates for any domain only strengthens that model. It ensures future revenues for the companies providing you the nice little green icons in your browser, called "extended validation". I will leave looking up the prices for such a EV certificate and the estimate of how much real man work goes into that as an exercise for the reader.

There's hope though. For a few years now there's a new standard in the making, called "DNS-based Authentication of Named Entities", DANE for short. It's based on DNSSEC, an effort to prevent forged and not authoritative answers in the DNS system. In short DNSSEC guarantee's that the IP you're connecting to is controlled by the owner of the domain and DANE guarantees that there's no middle-man in your connection to the webserver listening on that IP.

DNSSEC reduces the number of entities you have to trust to effectively one, IANA. IANA does contract third parties to operate the root zone, currently this is VeriSign. Every signature can be chased to that single trusted party. To forge a domain you would need to compromise the root zones key, which is guarded by high standards, much higher than the ones of your average certificate authority. Also if you compromise at that level, you need to mirror the infrastructure of the whole top level domain your target domain is part of. This is feasible but also visible to monitoring systems. Attacking a top level domain infrastructure directly is also possible, the effect is greatly reduced though, only that single top level domain is compromised. You can't change the keys here either, as you would need to update the signatures in the root zone. And again an attack is more visible here.

Whether this is really greatly reducing the attack vector is debatable, what it objectively reduces is the damage you can make. Remember to compromise the current system on a whole you just need one of the hundreds of little certificate authorities.

You can activate DANE validation today through an excellent browser extension provided by the Czech domain registry. After you have installed it you can see that all my sites already deploy it, it's certainly possible.

I can understand if companies that benefit from the current system embark in such a "free" registry. I can understand if the EFF supports such a system as a short term measure, they don't directly influence any of the major software systems that would need to be adapted.

What makes me angry is that Mozilla is spending a lot of money to support it, while completely neglecting DANE support. There's no real progress for years now. They support the old broken system while they really could change something. If a major browser vendor like Mozilla shipped DANE support, across all its products, it would boost adoption of it a lot.

#mozilla #ssl #dns #dnssec #dane #letsencrypt

via Jonne Haß - link
Igorette
3 weeks ago from StatusNet
Sign language for "Abortion" - https://i.imgur.com/0uMowBF.gif
Igorette
3 weeks ago from mustard
Sign language for "Abortion" - https://i.imgur.com/0uMowBF.gif
Igorette
1 month ago from StatusNet
Top 10 All-Time submissions for /r/ImaginaryHorrors. - http://imgur.com/a/6Qbo4
Igorette
1 month ago from StatusNet
Todays cat weirdness thread in reddit - http://www.reddit.com/r/gifs/comments/2jsloo/_/
Igorette
1 month ago from mustard
Todays cat weirdness thread in reddit - http://www.reddit.com/r/gifs/comments/2jsloo/_/
Igorette
1 month ago from StatusNet
New ttrss-android version seems a little unstable
Igorette
1 month ago from AndStatus
New ttrss-android version seems a little unstable
Igorette
11 months ago from mustard
This birthday card made me say "what the fuck?" - http://i.imgur.com/XW0U4Q3.jpg
Igorette
1 year ago from mustard
And have an A1 day, bitch.
Igorette
1 year ago from mustard
Henry Farrell for Democracy Journal: The Tech Intellectuals - http://www.democracyjournal.org/30/the-tech-intellectuals.php?page=all
Igorette
1 year ago from mustard
Auto-Brewery Syndrome: Apparently, You Can Make Beer In Your Gut : The Salt : NPR - http://www.npr.org/blogs/thesalt/2013/09/17/223345977/auto-brewery-syndrome-apparently-you-can-make-beer-in-your-gut
Igorette
1 year ago from mustard
Igorette
1 year ago from mustard
Amish Community Not Anti-Technology, Just More Thoughtful : All Tech Considered : NPR - http://www.npr.org/blogs/alltechconsidered/2013/09/02/217287028/amish-community-not-anti-technology-just-more-thoughful
Igorette
1 year ago from mustard
Also a good BOFH excuse generator
Jargon Generator - http://shinytoylabs.com/jargon/#
Igorette
1 year ago from mustard
Kabarettist Georg Schramm über Politik: „Mein Zorn ist echt“ - taz.de - http://www.taz.de/Kabarettist-Georg-Schramm-ueber-Politik/!122002/
Igorette
1 year ago from mustard
"What platform do you use to run your infrastructure?"
"I use cocaine"
https://github.com/cocaine/cocaine-core
Igorette
1 year ago from mustard
Tweet von @acarvin : Whenever you hear it's a "pro-Morsi vs. anti-Morsi" dialectic, remember this venn diagram. #egypt opegypt.wordpress.com/2013/08/02/mainstream-media-likes-simple-labels/
Igorette
1 year ago from mustard
Igorette
1 year ago
Hyperboria: Hyperboria

Hyperboria is a global decentralized network of "nodes" running cjdns software. The goal of Hyperboria is to provide an alternative to the internet with the principles of security, scalability and decentralization at the core. Anyone can participate in the network by locating a peer that is already connected.
Igorette
1 year ago
Oversight: Thank you for volunteering, citizen.
Igorette
1 year ago from mustard
Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages | Ars Technica - http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
Igorette
1 year ago from mustard
Regex Crossword - http://regexcrossword.com/
Igorette
1 year ago from mustard
What’s stopping us from eating insects? | Anthropology in Practice, Scientific American Blog Network - http://blogs.scientificamerican.com/anthropology-in-practice/2013/07/24/whats-stopping-us-from-eating-insects/
Igorette
1 year ago from mustard
Very funny....
Forgotten Employee - https://sites.google.com/site/forgottenemployee/
Igor Ette
1 year ago
Rt: ˜"Heroic effort at great personal cost"€™: Edward Snowden nominated for Nobel Peace Prize

A Swedish sociology professor has nominated Edward Snowden for the Nobel Peace Prize. He says the NSA whistleblower could help "save the prize from the disrepute incurred by the hasty and ill-conceived decision"€ to give the 2009 award to Barack Obama.
Igor Ette
1 year ago from mustard
Barrett Brown, political prisoner of the information revolution | Kevin M Gallagher - http://m.guardian.co.uk/commentisfree/2013/jul/13/barrett-brown-political-prisoner-information-revolution
Via @ioerror
Igor Ette
1 year ago
I'm ready to leave Google services. But what do I do with the Android app market?
Have not enough confidence in Aptoide and Fdroid in providing malware free apps.

Tech: Google Latitude and the Squandered Potential of Google+ | TIME.com (Jared Newman)

Google keeps demolishing good services and making Google+ more bloated.
Igor Ette
1 year ago
Intro from Continuum.S01E01

"Twenty years ago
when the corporations bailed
out our failed governments,
they sold it to us
as salvation...
Now we see
that we paid for that rescue
with our freedoms.
We have awaken to the truth
that we have become slaves
to the Corporate Congress...
Today that all changes.
Let the word go forth
from this time and place,
to friend and foe alike,
that we have passed the torch
to a new generation
unwilling to permit the undoing
of human rights and dignities.
And let every corporation know,
whether it wishes us
well or ill,
that we shall pay any price
in order to assure
the survival and the success
of liberty."

"Don't move!
Hands where we can see them!!
Stay where you are!
You're under arrest."
Igor Ette
1 year ago from mustard
Hilferuf aus San Francisco: Wer hält Google auf? - Feuilleton - FAZ - http://www.faz.net/aktuell/feuilleton/hilferuf-aus-san-francisco-wer-haelt-google-auf-12271174.html
Igor Ette
1 year ago from mustard
The Shocking Truth About Doug Engelbart: Silicon Valley's Sidelined Genius - http://www.siliconvalleywatcher.com/mt/archives/2013/07/the_shocking_truth_ab.php
Igor Ette
1 year ago from mustard
In Secret, Court Vastly Broadens Powers of N.S.A. - NYTimes.com - http://mobile.nytimes.com/2013/07/07/us/in-secret-court-vastly-broadens-powers-of-nsa.html
Igor Ette
1 year ago
Mastercard and Visa Start Banning VPN Providers
time to cancel my prepaid

Torrentfreak: | TorrentFreak (Ernesto)

Following the introduction of restrictions against file-sharing services, Mastercard and Visa have now started to take action against VPN providers. This week, Swedish payment provider Payson cut access to anonymizing services after being ordered to do so by the credit card companies. VPN provider iPredator is one of the affected customers and founder Peter Sunde says that they are considering legal action to get the service unblocked.
Igor Ette
1 year ago
The Rock ā€™nā€™ Roll Casualty Who Became a War Hero
Igor Ette
1 year ago
tired of seeing these ZRL-links
does it make sense to install the red matrix at the current state? is it possible to upgrade from friendica?
Igor Ette
1 year ago from mustard
Ultras in Deutschland: Teil einer Jugendbewegung - taz.de - http://taz.de/Ultras-in-Deutschland/!118954/
Igor Ette
1 year ago from mustard
Motorola Is Listening - Projects - Beneath the Waves - http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html #android #security #privacy
Igor Ette
1 year ago
Android-86 works quite good with virtualbox

Android-x86: Android-x86 - Porting Android to x86

Android-x86 Open Source Project
Igor Ette
1 year ago from mustard
James Gandolfini, Actor Who Played Tony Soprano on ‘The Sopranos’ (1961-2013) http://t.co/AML3CDWTou
Igor Ette
1 year ago

Linux Café Hamburg

Starts: Monday July 01, 2013 @ 7:00 PM

Finishes: Monday July 01, 2013 @ 11:00 PM

Location: Cafe Feuerwache, Chemnitzstr. 3-7, Hamburg