[pp.int.general] resetthenet.. srsly? (was: Antonio)

carlo von lynX lynX at pirate.my.buttharp.org
Sat Jun 7 00:43:45 CEST 2014 

On Thu, Jun 05, 2014 at 08:06:39PM +0300, Andrianos Pappas wrote:
> Wtf, this is all stuff for personal correspondence and talks, not for international lists. 
> So if you could all just stfu, and focus on real life things, such as #resetthenet, it'd be awesome. 

from http://lists.gnu.org/archive/html/consensus/2014-05/msg00000.html

If it was that simple we could have done such a
campaign the same day the revelations came out.

- 1st of all, the main problem is mail and chat,
  so you don't solve that by HSTS

- The recommended solutions for mail and chat
  are obnoxious for normal users to install and
  will be obsolete in a year or so, since no-one
  should stick to mail and chat that does not
  protect the social graph "meta" data.

- The idea that all HTTP sites should upgrade
  to HTTPS, without at least convincing one CA
  to hand out free *.domain certificates, is just
  an amazing promotional campaign for the CA industry.

- HSTS is the greatest of all band-aids, much weaker
  than DANE, still if you use it wrong you condemn
  yourself to buying certificates for potentially a
  veeery long time. Would be better to go for the
  less bad band-aid: DANE.

- Would be better if the web browsers were supporting
  proper pinning of self-signed certificates. Or
  supporting cacert.org so people can reasonably get
  free certs. They can show the sites with a yellow
  box instead of a green one (if Mozilla thinks cacert
  is less safe, which in the current situation is a
  ridiculous assertion anyway), but leaving the web in
  a state of utter brokenness is sick.

- Would be better to fix the scalability of Tor hidden
  services so we can use .onion instead of the broken
  HTTPS thing. Or if that doesn't work, use GNUnet for
  the "light web"

- Would be better to deploy opportunistic forward
  secrecy implemented in JS over HTTP (naif has been
  working on that)

- Would be better if campaign websites weren't themselves
  collecting personal data before even saying anything
  (the first thing it shows is a prompt to drop your
  e-mail into a box.. very reassuring).

So I don't see the point in a superficial campaign that
doesn't actually fix anything about the status quo, instead
it is likely to foster further damage by not offering long-term
solutions.

If you think this makes sense, please forward it to the 
appropriate people in the listed organizations.

More information about the pp.international.general mailing list