Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [GNU/consensus] Why support "Reset the Net" ? I don't get it

carlo von lynX lynX at
Thu Jun 5 03:28:27 PDT 2014

Heya.. I saw the ACLU, AI, EFF, FSF, Greenpeace, MoveOn
and other logos on the page.

Yet the things the page recommends are band-aids.
If it was that simple we could have done such a
campaign the same day the revelations came out.

- 1st of all, the main problem is mail and chat,
  so you don't solve that by HSTS

- The recommended solutions for mail and chat
  are obnoxious for normal users to install and
  will be obsolete in a year or so, since no-one
  should stick to mail and chat that does not
  protect the social graph "meta" data.

- The idea that all HTTP sites should upgrade
  to HTTPS, without at least convincing one CA
  to hand out free *.domain certificates, is just
  an amazing promotional campaign for the CA industry.

- HSTS is the greatest of all band-aids, much weaker
  than DANE, still if you use it wrong you condemn
  yourself to buying certificates for potentially a
  veeery long time. Would be better to go for the
  less bad band-aid: DANE.

- Would be better if the web browsers were supporting
  proper pinning of self-signed certificates. Or
  supporting so people can reasonably get
  free certs. They can show the sites with a yellow
  box instead of a green one (if Mozilla thinks cacert
  is less safe, which in the current situation is a
  ridiculous assertion anyway), but leaving the web in
  a state of utter brokenness is sick.

- Would be better to fix the scalability of Tor hidden
  services so we can use .onion instead of the broken
  HTTPS thing. Or if that doesn't work, use GNUnet for
  the "light web"

- Would be better to deploy opportunistic forward
  secrecy implemented in JS over HTTP (naif has been
  working on that)

- Would be better if campaign websites weren't themselves
  collecting personal data before even saying anything
  (the first thing it shows is a prompt to drop your
  e-mail into a box.. very reassuring).

So I don't see the point in a superficial campaign that
doesn't actually fix anything about the status quo, instead
it is likely to foster further damage by not offering long-term

If you think this makes sense, please forward it to the 
appropriate people in the appropriate organizations and 
get that support out of this.



More information about the liberationtech mailing list