Re: [dev] suckless.org TLS / HTTPS support

From: hiro <23hiro_AT_gmail.com>
Date: Thu, 31 Aug 2017 14:45:03 +0200

> I agree or just a simple HTTPs browser bookmark. I think thats better on
> many
> levels, for example otherwise someone can also spoof a plain HTTP redirect.

Browser distributors had the chance to implement something like this,
plus client side certificate pinning, but they fucked it up.

Now we have something much worse: letsencrypt and this completely
insecure http redirection snake-oil.

With letsencrypt you now have to put extra work (can't keep track of
all the individual subdomains either, wildcards are suddenly a
security risk?!), and nobody bothers to quanitfy the amount of gained
security.

Instead of having to trust garbeam I now have to trust third persons
(i can't even count them), because it's too much work for garbeam to
just make a certificate that my browser will think is ok.

That's why I wonder why you have put all this effort to begin with.
Who are you trying to protect who isn't already gonna use the Ubuntu
pgp-signed packages? The people who manage to write code and compile
it and contribute back who already have the sshd public key trusted in
their .ssh folder?

For yourself you anyway lack of any meaningful all-encompassing
security strategy. Cause secretly you know the risk is small, or many
other, unrelated, but more important risks in life are bigger and
demand for more of your attention. If you live in Europe you probably
won't even be able to supply enough ammo for self-defense of your
source-code.
Received on Thu Aug 31 2017 - 14:45:03 CEST