[Freedombox-discuss] :Configuration: Plug Server Test Publically Available

Sun Nov 6 19:08:06 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bjarni, thanks for the reply!

Bjarni Rúnar Einarsson <bre-k9pR3Njzdnfk1uMJSBkQmQ at public.gmane.org>
writes:

> Hey Nick,
>
> Glad it's working for you! :-)  I wanted to respond to a couple of
> comments you made inline:

I must've been really tired when I wrote this, as I didn't really say
what I meant.

> On Sat, Nov 5, 2011 at 6:26 AM, Nick Daly <nick.m.daly-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:

>> It weirds me out that I need to *MITM myself* so the FBX can be
>> reached

I was actually combining my concerns about MITM problems and my concerns
about needing a port-forwarding service, above.  The port forwarding
service adds another service that (if taken offline) would render my
site unreachable.  However, the system already has so many moving parts
that it's a very minor concern.  Anyway, my connection to the outside
world wouldn't work without it :)

>> but I'm not too worried that the Icelandic government's
>> going to fake an SSL certificate.  Israel might, though, so it might
>> be good to move PageKite to a (root-)CA based in their own country.
>
> I think this is a misunderstanding.  Sadly, anyone who can sign
> certificates can probably MITM us - it doesn't matter which root signs
> our cert, the browser will accept any valid signature from anywhere.
> I don't particularly trust Israel, but as I understand things, I'm
> afraid it doesn't really matter much. The only way I know to manage
> this risk is to use the Firefox and the Certificate Patrol plugin, or
> self signed certs (see below) and a security exception in the browser.
>
> PageKite's wildcard SSL service does not pretend to be a perfect
> solution and we hope our users understand the limitations of what we
> offer - but it is better than nothing. :-)

No disrespect to either of the above governments intended, I was
ironically referring to the fact that there's no way I can know who has
what interest in faking which certificates.  After reading "Certified
Lies" (and installing Cert Patrol [0]) I worry less about the majority
of SSL MITM attacks and primarily about country-specific attacks.  I
actually forgot SSL's issues were bigger than country-specific concerns,
since I'm less vulnerable to those types of attacks.

This is why we need a globally-distributed, self-authenticating
namespace.  Though, as John Gilmore mentioned, that's a decades long
goal; it's not a current priority.

An interesting fact about the "Certified Lies" paper: there are at least
two different versions of this paper currently available.  I don't know
why or when the paper was revised, neither version carries any dating or
version information.  You can tell which version of the paper you're
reading by looking at the Abstract.

    http://cryptome.org/ssl-mitm.pdf

    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1591033

Nick

0: https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
- -- 
Writing my GPG key fingerprint at the end of a self-authenticating and
self-identifying message seems redundant.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJOttsWAAoJEJ8nM/QJKNI6n+MP/AnlXu3Ed1u2bWmRZHexe9d1
T6Hdu06qmMTZ1BkrogPPeQH11Zd7AFFsGZIyRXS+BulcDNCgpApzd48EZzoJSajR
HUnsLscZp52ELb4g9yOccAowQuPFPsS1wM6a7do8p1Y5VbnCTlQ1O7U98MpV+gVM
A74Up6F26O1OOf6bbwuNhoa61HQ9/osSYNlonATHiZirbdSs4cUFJg3oBNb1gPPe
j6slPTixOHEc1vJd+g/ClatMWeHHMnYv3JMwk68JBZIgY4TOCavqIdmO8mhCbvDU
DImiTbycPAQamlXdinFxEI3NHOE8YsUEwXcEft4t3I8qK6oXFsxcqRb8t9baWp2t
xQNc9tKMaVSm4nAoVbLNdtafn/A2j7z7wHaW0IDXcCnQkvu2N8qWKy5laqJdf54E
zCbaE8l8Xe61TKOur3ciK7m1fsVZNVk5f6uSDtRwXb09zSRCoRln1cGWvBxnNjM5
2Y4G+vVj2S8vQsXtfKX0LN/9jpgmnkfcScPf481HP0FdFsVy/l/zrX7B2IIwBb5s
Jj+OmCpuD2fnyF2cuXf2ImCLfEDYKZwZsca6EmnA2rxGFiouBoI0QgMHIwwasShc
Fes+kyEBKn+Jb2J71j9Lm9pzLe4NjIagVGtNMHeFgOqR3bEtJievCKo/dmahTsqO
/zKGrR+2b1vJv3nCWqsO
=rpnU
-----END PGP SIGNATURE-----