Wladimir Palant @WPalant@infosec.exchange
- Website
- https://palant.de/
- https://twitter.com/WPalant
- Mastodon
- https://social.tchncs.de/@WPalant
Software developer and security researcher, browser extensions expert. He/him
Joined Aug 2018
Does it have to be binary or will JSON-based do as well? 😀
I've created a bunch of binary formats in the past, but growing up I started to understand the advantages of well-known and human readable container formats with pre-existing parsers - such as XML or JSON.
@adam In principle - anything would be possible. The problem is merely getting enough weight behind a solution for it to gain traction. So far I don't see anything like that on the horizon.
@leip4Ier You can very quickly push a number of fragment URLs to history by assigning to location.hash - not really noticeable to the user, and little you can do about it. At least if the website wants to be annoying, which is luckily rare.
@leip4Ier They don't need the History API to mess up your browsing history, badly written websites managed to do that before this API came up as well...
@m4iler You always depend on someone's server. Even if you self-host email, your communication partner most likely won't. If their server goes down or decides to blacklist your email server (happens way too frequently), you won't be able to communicate.
You could theoretically also self-host a Signal server, but I don't think that you really want that. More like a less centralized system which just happens to work and be secure - I'm not currently aware of any.
@m4iler Passbolt is open source software, you can use it for free if you don't need support. However, it's mainly targeted at organizations, not individual users, so not really comparable to pass.
@leip4Ier I remember working around that some time ago but I'm not entirely sure how - I think I did it from the Recovery Console. https://neosmart.net/wiki/recovery-console/
@varx That's the point which the author was making - PGP can do the job, but a specialized solution like Signal will be a lot better. You just start messaging a person - zero effort required on your end to establish a secure communication channel. If you want to be extra certain that no MitM is going on, you compare the safety number over another channel. But that extra step is really for the "a mistake can get you killed" scenario.
@PresGas It doesn't, and it wasn't a big issue to begin with. It's the general approach that I have doubts about.
@PresGas I don't know anything about the protocol. But their general approach to security doesn't seem very robust, to the point where I really wouldn't trust the product. I've written about it here, and other people chimed in with similar experiences: https://palant.de/2018/09/06/keybase-our-browser-extension-subverts-our-encryption-but-why-should-we-care/
@jerry The guy accused me (or the author of the article) of badmouthing PGP for no reason, and after I replied I noticed that I can no longer open his profile. No, not a joke.
Wow, somebody blocked me on Mastodon, that's a first. I dared to criticize PGP...
@61 So which of the issues mentioned in the articles are going to be addressed by more resources thrown on GPG? A better implementation isn't going to fix any of the fundamental issues.
Mind you, the complexity of the whole thing is certainly a factor why contributions have been so few.
@61 Aha, random wingy twaddle... Anything in particular? Many of the issues I've been aware of myself, others I haven't heard about before but knowing a thing or two about crypto they make perfect sense. Could still be wrong of course, do you know something that I don't?
It's a rant, no question - but I don't care what you have to say about its author if you cannot discuss the content.
@leip4Ier Is it stupid if I never understood the point of signing Git commits? Is anybody ever validating signatures on commits found in the project's official repository?
As to Linux package managers - yes, they are heavily invested into PGP, for no good reason. I doubt that anybody really checks the signing key when a repository changes theirs - PGP key servers are no real help here. If anything, key validation should be taken out of user's hands (e.g. centralized by distribution).
And #email is indeed beyond saving, I don't see secure communication over email to happen, ever. No way around establishing new protocols for encrypted communication, e.g. #Signal.
https://palant.de/2018/11/12/as-far-as-i-m-concerned-email-signing-encryption-is-dead/
So here you have the full picture now: #PGP doesn't work and never will. Stop recommending it, stop organizing key signing parties, you aren't helping anybody doing that. Just put it to grave instead.
@leip4Ier Never used Telegram, and so far it doesn't sound like I will. From what I've read about it so far, privacy-wise it's really lacking yet the marketing machinery won't care.
@leip4Ier I definitely won't disagree on that. I can see how using phone number as ID is convenient, but it should at least be optional - for the people who actually use it for the security and privacy benefits.
- Website
- https://palant.de/
- https://twitter.com/WPalant
- Mastodon
- https://social.tchncs.de/@WPalant
Software developer and security researcher, browser extensions expert. He/him
Joined Aug 2018
