[Cryptography] "we need to protect [our dox] by at least encrypting them"

Patrick Chkoreff patrick at rayservers.net
Sun Nov 6 11:11:39 EST 2016

ianG wrote on 11/05/2016 09:29 AM:

> Here's a new data point from Wired - how long did it take the browser
> manufacturers to respond to the bleedingly obvious failed GUI of the
> padlock?  20 years.
> https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
> That article is the Good, the Bad and the Ugly of security thinking.
> Count the years - SSL and secure browsing invented in 1994, and the GUI
> was screwed by Netscape 1.0.  Now, in 2014, a browser manufacturer
> starts to seriously think about how to present the user a message.

For our company back-end web site we use a self-signed certificate.  In
Firefox I just force an exception the first time I see it, and my
partners have done the same.  I told them if they ever see a security
warning pop up to call me immediately and not do anything else.  (I'll
check the fingerprint for them.)

In Chromium it's not so easy.  I did figure out how to force an
exception by poking around in Settings, but I don't remember what I did.

None of this is ideal, but at least I'm not worrying about paying for
and renewing certificates every N years.

The potential vulnerability is that one day Eve or Moriarty or someone
interposes a fake certificate and one of my partners just forces a new
exception in Firefox.  At least with Chromium it's more difficult.
That's good, I guess, except it's also bad.

It's a big bloody mess.  I'd rather have James Donald's "yurls", where
the big ugly number in the URL has to match the certificate fingerprint
and the browser enforces it, but we all know THAT will never happen
unless I wrote my own bloody browser and get my partners to install it
on their Windows, Apple, and Linux machines.  And we all know THAT will
never happen.

I actually messed around with the "surf" browser from suckless.org for a
while, and hacked it to where it trusted EXACTLY ONE hardcoded
certificate.  That might be cool as the basis for a dedicated app, but
obviously it's just a hobbyist toy for now, and I'd need to port it and
have everyone install it.

So I've pretty much given up.  Maybe something like Mathematical Mesh
will become ubiquitous at some point in the next 10 years and I can take
advantage of that.

-- Patrick

More information about the cryptography mailing list