Re: [dev] TLS / HTTPS support

From: Hiltjo Posthuma <>
Date: Thu, 31 Aug 2017 15:30:21 +0200

On Thu, Aug 31, 2017 at 02:45:03PM +0200, hiro wrote:
> > I agree or just a simple HTTPs browser bookmark. I think thats better on
> > many
> > levels, for example otherwise someone can also spoof a plain HTTP redirect.
> Browser distributors had the chance to implement something like this,
> plus client side certificate pinning, but they fucked it up.

I agree, still I think its a good thing to provide TLS optionally. Another
idea would be to also add support for Tor hidden services, this is trivial to

> Now we have something much worse: letsencrypt and this completely
> insecure http redirection snake-oil.

These are 2 different issues and HTTP redirection is optional.

> With letsencrypt you now have to put extra work (can't keep track of
> all the individual subdomains either, wildcards are suddenly a
> security risk?!), and nobody bothers to quanitfy the amount of gained
> security.

Renewing certificates is much easier with LetsEncrypt. All subdomains of
suckless are known. There are too many subdomains though imho.

Wildcard implementations can be a security risk since they are more complicated.
An example was a wildcard certificate that is NUL terminated and some CA's and
browsers accepted a wildcard for ALL domains (in a nutshell).

See the legendary talk:

        More Tricks For Defeating SSL
        by Moxie Marlinspike

Though LetsEncrypt announced it will likely support wildcard domains in Januari 2018.

> Instead of having to trust garbeam I now have to trust third persons
> (i can't even count them), because it's too much work for garbeam to
> just make a certificate that my browser will think is ok.

That's bullshit, the difference is the certificate is signed by a CA. It's up
to you to decide to trust and use it anyway.

> That's why I wonder why you have put all this effort to begin with.
> Who are you trying to protect who isn't already gonna use the Ubuntu
> pgp-signed packages?

The Ubuntu package maintainers have to fetch the sources in a trusted way. I
agree this is not solved with HTTPS.
That's why the sources could be PGP signed aswell (just an idea atm).

> The people who manage to write code and compile
> it and contribute back who already have the sshd public key trusted in
> their .ssh folder?

Yes, but thats the minority unfortunately.

As usual you're not offering any solutions. But you were more constructive than
usual. Are you feeling well, hiro?

Kind regards,
Received on Thu Aug 31 2017 - 15:30:21 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 31 2017 - 15:36:24 CEST