Re: [dev] TLS / HTTPS support

From: hiro <>
Date: Thu, 31 Aug 2017 18:52:32 +0200

> These are 2 different issues and HTTP redirection is optional.

Something being optional does not prevent it from having net negative effect.

> Renewing certificates is much easier with LetsEncrypt. All subdomains of
> suckless are known. There are too many subdomains though imho.

Nobody can remember all the subdomains, and each has to be renewed
manually. That makes it too much work, and I guess if it wasn't too
much work garbeam could have just done it himself, so that people
depending on the security promised by your silly certs only have to
trust the integrity and competence of one person.

I don't think the subdomains or it's number should be changed,
anything like this is just gonna break links anywhere else. The net
negative effect on the community is not worth it and the
suckless/dwm/wmii community has already suffered enough negative
reputation from shit like this.

> Wildcard implementations can be a security risk since they are more
> complicated.
> An example was a wildcard certificate that is NUL terminated and some CA's
> and
> browsers accepted a wildcard for ALL domains (in a nutshell).

Browsers and SSL implementations were always broken, that doesn't make
wildcards automatically bad. The NULL issue was bad enough without the
wildcard problem.
The real problem here is just kindergarten programming, and your
argument reminds me of the usual boring goto is bad, type safety,
training wheels rhetoric.
If you were consistent in any way you'd just tell us not to use SSL,
there are soooo many deep flaws in the stupid libraries, it's
completely hopeless.

> Though LetsEncrypt announced it will likely support wildcard domains in
> Januari 2018.

That's great. Meanwhile everybody will have to delete their
subdomains, use paid-for certs or waste their time creating temporary
technical solutions for automatic handling of the subdomains that are
not supported by the incompetent letsencrypt people when they would be
needed by potential users like you guys...

>> Instead of having to trust garbeam I now have to trust third persons
>> (i can't even count them), because it's too much work for garbeam to
>> just make a certificate that my browser will think is ok.
> That's bullshit, the difference is the certificate is signed by a CA. It's
> up
> to you to decide to trust and use it anyway.

I trust the CA (even the incompetent letsencrypt people) more than
some random mailing list user that garbeam decided to trust.
At least I understand the general process of an inefficient useless
company that letsencrypt is, and I know they can't efficiently harm me
and all their other users in the same way suckless user will for sure
do, and has done in the past (i don't mean compromises of security,
but in effect making web sites completely inaccessible by their small

Most people that you're trying to help stay secure probably know
garbeam and the others *even less* than me, so if they have to
suddenly start trusting so many more random people to get any small
security advantage, what should make them bother in the first place?
Are you not just again completely relying on the browser distributors
to decide what is right and important for the users instead of taking
things in your own hands and making a difference as suckless in the
webshit world? To me any engagement in this stuff is not just passive
acceptance, it's active increase of suck.

>> That's why I wonder why you have put all this effort to begin with.
>> Who are you trying to protect who isn't already gonna use the Ubuntu
>> pgp-signed packages?
> The Ubuntu package maintainers have to fetch the sources in a trusted way.
> I
> agree this is not solved with HTTPS.
> That's why the sources could be PGP signed aswell (just an idea atm).

Can they not just use the ssh access then? You could allow them to
verify your ssh public key in a multitude of ways that are more secure
than using ssl and honest achmed CAs.

>> The people who manage to write code and compile
>> it and contribute back who already have the sshd public key trusted in
>> their .ssh folder?
> Yes, but thats the minority unfortunately.
> As usual you're not offering any solutions. But you were more constructive
> than
> usual. Are you feeling well, hiro?

It's just that there's more stupid shit done here lately, so it
overlaps with my ranting realms.
Received on Thu Aug 31 2017 - 18:52:32 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 31 2017 - 19:00:40 CEST