Notices by Micah Lee 🔑 (micahflee@mastodon.social), page 14

@damien have you had any complaints?

@jerry @upshotknothole @michela @tessaracht PKI and CAs are a problematic system, but one that appears to be basically permanent.

And Let's Encrypt is basically the very best part of this system, a response to the for-profit CA racket where everyone who wants web security had to pay up. They're not the problem.

The system of PKI and CAs is the real problem. We need a decentralized replacement system to solve that problem.

@jerry @upshotknothole @michela @tessaracht I don't think anyone will buy Let's Encrypt because because it's a non-profit organization without a profit motive, and I think they understand how important their role is.

Centralizing trust isn't really a problem with Let's Encrypt, it's a problem with PKI in general. As long as certificates require central Authorities to vouch for them, this problem will always exist.

@gutigen Signal isn't a honeypot. They have the ability to collect metadata (like all service providers, including mastodon.social), but unlike most others services they promise not to log any of it to disk: https://signal.org/signal/privacy/

They demonstrated that they're telling the truth with their response to this subpoena: https://signal.org/bigbrother/eastern-virginia-grand-jury/

@Tlacaelel no it isn't. Your argument doesn't make any sense either.

Microsoft integrated the HTTPS protocol into Skype, too. Does this mean that CIA and NSA have backdoored Mastodon, since it also uses HTTPS?

@marsxyz I don't see how a federated Signal would have changed this situation at all. They'd just block the whole network, and Signal would still need censorship circumvention.

The fact that much of the web is centralized under cloud services like AWS and Google sucks, but at least it makes domain fronting possible -- assuming the companies are ok with it, which apparently they're not.

@upshotknothole CAs are already (sort of) federated. You can choose whoever you want. The reason Let's Encrypt is so popular is because 1) it's free, 2) thanks to certbot it's simpler to deploy than everything else.

Let's Encrypt will completely dominate I think until there's another free CA that also offers automated certs.

Doing this would be a huge expensive project of course, like Let's Encrypt itself was (expensive, because it costs money to buy your way into browser trust stores).

@paulfree14 it isn't really about Zuckerberg. It started with revelations that Cambridge Analytica used FB data from millions of users (who opted into sharing their and their friends' data to some psychology app) to build targeted ad profiles used to elect Trump. And the privacy nightmare of Facebook, and how vulnerable its algorithms are to things like fake news and Russian influence campaigns.

An issue with #DeleteFacebook is it didn't offer alternatives (to be fair, there are none).

@fullywoolly well, you can if you store the key in Local storage. But it has the hushmail/cryptocat/ProtonMail/lavabit problem.

Since it's a website and not a native app, you basically download the source code each time you load the page. So the server could choose to serve _you_ a backdoor while giving everyone else the secure version of the JavaScript, with no way to detect it.

@fullywoolly @hinterwaeldler yes, it's called Secret Conversations. It only works if both users are using the Messenger mobile app (because FB doesn't hold the keys, it doesn't work in a browser, true with any e2e).

https://www.wired.co.uk/article/messenger-secret-messages-end-to-end-encryption

@hinterwaeldler I agree

The other WhatsApp founder who already left Facebook, Brian Acton, gave $50 million to start the Signal Foundation with Moxie Marlinspike, and is part of the #DeleteFacebook campaign. Facebook must hate these guys.

https://techcrunch.com/2018/02/21/signal-expands-into-the-signal-foundation-with-50m-from-whatsapp-co-founder-brian-acton/

@bob I've been on a mastodon hiatus for quite a while