gnuorange
05/02/17 03:59PM
Privacy: Tor, Gnunet, lets encrypt etc...
Hello,
I wanted to ask multiple questions

-If not yet does this website has a .onion adress ?
-If not will it one day have one ?

-Why use "COMODO CA Limited" certificates while Lets encrypt exist ?
https://en.wikipedia.org/wiki/Let%27s_Encrypt

-Has anyone tried to use Gnunet for secured/anonymous file sharing ?
bipface
05/02/17 04:10PM
maybe Booru buys SSL certs in bulk for multiple sites

though i'm not sure what the advantage over LetsEncrypt would be in any case

maybe one of the a reasons mentioned here applies?: http://security.stackexchange.com/questions/90972/
though it's hard to imagine compatibility concerns, since HTTPS is kinda opt-in for R34, and such users will rarely be using old browsers
gnuorange
05/06/17 06:48AM
To biface:
The advantage of Lets encrypt is that you get a bit more privacy since there isn't a mandatory ID verification.
There's also all the automation to resign your certificates automatically.
I could say that it's also gratis but admins and sysadmins don't give a dam about that one.

I never understood why certification authorities where a thing.
Their was never a need to these from the beginning since it's just a trust system.
If it was necessary from all P2P encryption then every signed email with pgp would need a third party, which is ridiculous.

At least the website doesn't use cloudflare...
>do a whois rule34.xxx
Shit
Name Server: WILL.NS.CLOUDFLARE.COM
Name Server: ROXY.NS.CLOUDFLARE.COM
Why is more than 1/3 of the internet under this horrible system.
bipface
05/06/17 07:59AM
gnuorange said:
The advantage of Lets encrypt is that you get a bit more privacy since there isn't a mandatory ID verification.
There's also all the automation to resign your certificates automatically.
I could say that it's also gratis but admins and sysadmins don't give a dam about that one.


no no, i said

:
though i'm not sure what the advantage [of other certificate authorities] over LetsEncrypt would be


the advantage of letsencrypt is obvious: it's free
bipface
05/06/17 08:05AM
gnuorange said:
At least the website doesn't use cloudflare...
>do a whois rule34.xxx
Shit
Name Server: WILL.NS.CLOUDFLARE.COM
Name Server: ROXY.NS.CLOUDFLARE.COM
Why is more than 1/3 of the internet under this horrible system.

ikr
you probably heard about http://en.wikipedia.org/wiki/Cloudbleed ?
just waiting to see which ubiquitous internet service or library bleeds next …
gnuorange
05/07/17 01:31AM
bipface said:
gnuorange said:
At least the website doesn't use cloudflare...
>do a whois rule34.xxx
Shit
Name Server: WILL.NS.CLOUDFLARE.COM
Name Server: ROXY.NS.CLOUDFLARE.COM
Why is more than 1/3 of the internet under this horrible system.

ikr
you probably heard about http://en.wikipedia.org/wiki/Cloudbleed ?
just waiting to see which ubiquitous internet service or library bleeds next …


More than just heard.
After the information was out and seing the impact of it (more than 4 million website on cloudflare)
https://github.com/pirate/sites-using-cloudflare
With some fellow sysadmins we investigated what was cloudflare further because we personally never had to use this kind of services that they promoted.

This is basically a copypasta from a image board but it resumes what we found and understood.
------------------------------

-cloudflare makes it extremely difficult for Tor users and users who disable javascript. This difficulty was originally just a simple CAPTCHA, that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers).

-cloudflare arbitrarily bans whoever they want. Today, it is Tor users who disable javascript. Tomorrow, it could be all Firefox users, Gnu/Linux users, VPN users, Brazillians, Germans, Snowden supporters, filesharers, anons, children, women, homosexuals, Christians. The exact criteria doesn't matter, because it is completely at the whim of cloudflare.

-cloudflare completely breaks SSL

Standard SSL handshake
User -> website's key -> website
User <- User's key <- website

Only the User and the website can read or write data transferred over the HTTPS connection. Authenticity, integrity, confidentiality guarenteed by cryptography.

cloudflare's SSL version of it
User -> cloudflare's key -> cloudflare -> website's key -> website
User <- User's key <- cloudflare <- cloudflare's key <- website

cloudflare outright decrypts ALL CIPHERTEXT THAT PASSES THROUGH IT. cloudflare has COMPLETE ACCESS TO ALL PLAINTEXT. In other words, cloudflare in a Man-in-the-Middle (MitM) attack.

-cloudflare (untraceably) conducts internet surveillance
-cloudflare (untraceably) steals passwords: online banking, e-voting, internet connected devices, medical implants. If you have used a web frontend for server admin such as PHPMyAdmin, then cloudflare has your server's login password.
-cloudflare (untraceably) steals data: every file uploaded through cloudflare can be read by cloudflare.
-cloudflare can (untraceably) censor content
-cloudflare can implement an Acceptable Content Policy, denying access to any site that does not conform and censor content.
-Word filter
-Copyright detection
-Deep-packet inspection
-Per-user censorship
-cloudflare can (untraceably) tamper with content
-JS exploit injection
-Altering downloaded executables
-Misattributing words
-Framing users for sending data that they did not send.

Untraceably, because unlike a standard MitM, which can always be detected by saving and comparing public keys between sessions, cloudflare is always in the middle and is always either forging a fake public key or even TAKING YOUR PRIVATE KEY.

-cloudflare centralizes the internet, creating a single point of failure. If cloudflare goes down, every server routing through them goes down.

-cloudflare does not actually protect against hacking. They can be bypassed using any proxy other than Tor, let alone nation-state botnets of hundreds of millions of compromised systems.

-cloudflare costs money. You are paying for the privilege of giving away your domain, SSL key and server traffic to a third party.

The rational conclusion to the above would be that cloudflare is attempting to consume the entire internet, like cancer.

As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet.

------------------------------


That last part about CIA/NSA is just speculation but in our sad times it is possible.

We disused this in private with security researchers and they are well aware of what cloudflare can do, they even showed us that it's even possible to rehash any data and inject malicious code. They explained that it already happened to BSD several years ago which was surreal to hear because that day they lost a lot of friends.

For now I am looking for solutions try to warn people their and that.
The only promising solution that some anon presented was gnunet which is pretty interesting.

Anyway
Have a good day m8
Gluck
05/07/17 02:28AM
If anyone feels the need to use a VPN make sure you get one not based in the states or other countries where they could demand data be handed over by the VPN provider.
gnuorange
05/07/17 09:29PM
Gluck said:
If anyone feels the need to use a VPN make sure you get one not based in the states or other countries where they could demand data be handed over by the VPN provider.


Even if you can't be sure that your VPN provider isn't selling you data.
VPN are inefficient now because of we now know that correlation of metadata or just plain metadata is revealing enough information.
The only solution that we have working today is Tor and even Tor has flaws (thank you javascript and shit design).

Their are few projects that tries to correct the broken web but they aren't getting enough people on it.
There are actually two system atm:
I2P
Gnunet

I2P is more usable right now but has some problems in it's design and redesign part of it will make it incompatible will all the other nodes.

Gnunet literally brakes every foundation of the web.
Encrypted from top to bottom (even links) totally decentralized.
Still some work to do make it appealing to normal users.
but ultimately this i the best long term solution it just needs more devs on it.
slayerduck
05/07/17 09:54PM
Only using cloudflare DNS, also letsencrypt is not safer then any other SSL certs really.
gnuorange
05/08/17 10:09AM
Hello,
Nice website you have running.
I am pretty happy to see for once a website with such content that uses encryption.
Not too much JS either it's pretty neat that it is possible to navigate without it.
Good work

Do you plan to run it on a Tor node one day ?
I know the risks I am just asking.

slayerduck said:
Only using cloudflare DNS

I don't see no harm in that... for now.


also letsencrypt is not safer then any other SSL certs really.

Never said it's was.
I just asked why it was used instead of another solution than can be considered better for multiple reasons.

Have a good day
bipface
05/08/17 12:28PM
gnuorange said:
Not too much JS either it's pretty neat that it is possible to navigate without it.
Good work

heh, it's funny to read that when i consider how much time i spent adding extra JS to this site
gnuorange
05/11/17 04:12AM
bipface said:
gnuorange said:
Not too much JS either it's pretty neat that it is possible to navigate without it.
Good work

heh, it's funny to ready that when i consider how much time i spent adding extra JS to this site

HAHA ^^
When I say JS I mean client side JS not especially server side JS.
The only moment that I need to use client side JS is for posting comments like here.
I don't mind people who use JS has long they don't put it on the client side.

So what's the reason you made this website ?
For your own entertainment ? money ? lack of website like this one without HTTPS ? problems with other boorus ?
Or simply money ?
Or maybe multiple reasons, idk :)
bipface
05/11/17 12:15PM
gnuorange said:
bipface said:
heh, it's funny to read that when i consider how much time i spent adding extra JS to this site

HAHA ^^
When I say JS I mean client side JS not especially server side JS.

i meant client-side JS
http://github.com/bipface/userscripts
1


Reply | Forum Index