Igorette igorette@identi.ca

  • 2020-12-03T15:46:19Z via Identi.ca Web CC: Public

  • 2015-10-02T05:30:26Z via f.doomicile.de To: Public

    I knew Pope Francis was part dinosaur, but I didn't know he was also a magician - https://i.imgur.com/RuLQkuA.gifv

    Sandy Bucket, ostfriesenmärz likes this.

    Freemor, Dana, Dana, Dana shared this.

    @igorette@identi.ca LOL, that is great! But those bishops watching need to relax and enjoy the moment a bit more.

    Freemor at 2015-10-02T12:20:56Z

  • 2015-08-06T04:40:28Z via f.doomicile.de To: Public

    I no longer think hydraulics are useless - https://i.imgur.com/tGSS4vM.gifv

    Evan Prodromou likes this.

  • 2015-08-01T04:50:28Z via f.doomicile.de To: Public

    "My school just got a ton of new iMacs...this is what they did with the boxes." - https://i.imgur.com/9jXHLRY.jpg

    ostfriesenmärz likes this.

  • 2015-07-29T04:40:28Z via f.doomicile.de To: Public

    Fly through a galaxy of Debian packages - https://bartle.doomicile.de/url/535058
  • 2015-07-11T09:40:27Z via f.doomicile.de To: Public

    What goes around comes around https://i.imgur.com/lkhYkxn.gifv
  • 2015-07-04T08:50:27Z via f.doomicile.de To: Public

    #wtf /r/wtf gone private¿¡
  • 2015-06-09T02:40:27Z via f.doomicile.de To: Public

    Apple is revolutionizing the world again! - https://i.imgur.com/iq8D4ES.jpg
  • 2015-06-01T13:00:26Z via f.doomicile.de To: Public

    "Jürgen Habermas hat schon 2008 gewarnt, das Internet bewirke eine Ausdifferenzierung von Teilöffentlichkeiten. Deren Anbindung an allgemeine Konfliktlinien sei defizitär, wodurch die gemeinsame demokratische Öffentlichkeit unterlaufen werde."
  • 2015-06-01T12:52:05Z via f.doomicile.de To: Public

    "Jürgen Habermas hat schon 2008 gewarnt, das Internet bewirke eine Ausdifferenzierung von Teilöffentlichkeiten. Deren Anbindung an allgemeine Konfliktlinien sei defizitär, wodurch die gemeinsame demokratische Öffentlichkeit unterlaufen werde."
  • 2014-11-30T07:10:29Z via f.doomicile.de To: Public

    A lazy person's guide to being lazy - https://i.imgur.com/lt7cbWc.jpg
  • 2014-11-30T07:08:18Z via f.doomicile.de To: Public

    A lazy person's guide to being lazy - https://i.imgur.com/lt7cbWc.jpg
  • 2014-11-21T06:20:31Z via f.doomicile.de To: Public

    Why a free automated certificate authority is not the solution
    The answer is simple: It's a certificate authority.

    The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

    It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser http://ur1.ca/iu8qn and they gave out the privilege to issue certificates for any domain to hundreds of other organizations http://ur1.ca/iu8qo Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

    Adding just yet another organization that can issue certificates for any domain only... http://ur1.ca/iu8qu
  • jpope shared by Igorette at 2014-11-21T06:04:41Z via AndStatus To: Public

    Why a free automated certificate authority is not the solution

    The answer is simple: It's a certificate authority.

    The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

    It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser and they gave out the privilege to issue certificates for any domain to hundreds of other organizations. Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

    Adding just yet another organization that can issue certificates for any domain only strengthens that model. It ensures future revenues for the companies providing you the nice little green icons in your browser, called "extended validation". I will leave looking up the prices for such a EV certificate and the estimate of how much real man work goes into that as an exercise for the reader.

    There's hope though. For a few years now there's a new standard in the making, called "DNS-based Authentication of Named Entities", DANE for short. It's based on DNSSEC, an effort to prevent forged and not authoritative answers in the DNS system. In short DNSSEC guarantee's that the IP you're connecting to is controlled by the owner of the domain and DANE guarantees that there's no middle-man in your connection to the webserver listening on that IP.

    DNSSEC reduces the number of entities you have to trust to effectively one, IANA. IANA does contract third parties to operate the root zone, currently this is VeriSign. Every signature can be chased to that single trusted party. To forge a domain you would need to compromise the root zones key, which is guarded by high standards, much higher than the ones of your average certificate authority. Also if you compromise at that level, you need to mirror the infrastructure of the whole top level domain your target domain is part of. This is feasible but also visible to monitoring systems. Attacking a top level domain infrastructure directly is also possible, the effect is greatly reduced though, only that single top level domain is compromised. You can't change the keys here either, as you would need to update the signatures in the root zone. And again an attack is more visible here.

    Whether this is really greatly reducing the attack vector is debatable, what it objectively reduces is the damage you can make. Remember to compromise the current system on a whole you just need one of the hundreds of little certificate authorities.

    You can activate DANE validation today through an excellent browser extension provided by the Czech domain registry. After you have installed it you can see that all my sites already deploy it, it's certainly possible.

    I can understand if companies that benefit from the current system embark in such a "free" registry. I can understand if the EFF supports such a system as a short term measure, they don't directly influence any of the major software systems that would need to be adapted.

    What makes me angry is that Mozilla is spending a lot of money to support it, while completely neglecting DANE support. There's no real progress for years now. They support the old broken system while they really could change something. If a major browser vendor like Mozilla shipped DANE support, across all its products, it would boost adoption of it a lot.

    #mozilla #ssl #dns #dnssec #dane #letsencrypt

    via Jonne Haß - link

    Igorette, lainfinity, jrobb, lnxwalt@microca.st and 9 others likes this.

    Igorette, Olivier Mehani, Freemor, Douglas Perkins and 2 others shared this.

    Show all 8 replies
    There is a pretty good summary of the issues (including with DANE) and existing (or not) solutions to the SSL CA problem in the October issue of the Communications of the ACM (nice video for layish people there): Security Collapse in the HTTPS Market. An insightful read.

    DANE did sound like the best solution to me, particularly for machine-to-machine verification (e.g., Pumps with self-signed certs didn't really federate last I tried), but the article points out that it is not all good.

    Olivier Mehani at 2014-11-19T03:29:02Z

    September, not October. Man, post is slow ta Australia....

    Olivier Mehani at 2014-11-19T03:42:19Z

    I'm glad that Jonne Hass wrote this. Some of these same ideas have been swirling in my head all day. That said, DNS (even with DNSSEC) is laughably insecure and (because it is centralized) the weakest point in the entire Internet.

    lnxwalt@microca.st at 2014-11-19T03:49:33Z

    jpope, Claes Wallin (韋嘉誠) likes this.

  • 2014-11-10T09:05:27Z via f.doomicile.de To: Public

    Sign language for "Abortion" - https://i.imgur.com/0uMowBF.gif
  • 2014-11-10T09:01:25Z via f.doomicile.de To: Public

    Sign language for "Abortion" - https://i.imgur.com/0uMowBF.gif
  • 2014-10-26T12:50:27Z via f.doomicile.de To: Public

    Top 10 All-Time submissions for /r/ImaginaryHorrors. - http://imgur.com/a/6Qbo4

    Naurim, Sotitrox likes this.

    Sotitrox shared this.