🥳 @small-tech/syswide-cas v7.0.2 released
Enables Node.js to use custom Certificate Authorities (CAs) alongside the bundled root CAs.
https://codeberg.org/small-tech/syswide-cas#readme
• Drops legacy Node support
• Is now ESM
• Improved code quality
• Added TypeScript type information
Full change log: https://codeberg.org/small-tech/syswide-cas/src/branch/main/CHANGELOG.md
Enjoy!
💕
#SmallTech #releases #syswideCAs #TLS #NodeJS #CertificateAuthorities
2 #CertificateAuthorities booted from the good graces of #Chrome
#Google says its Chrome browser will stop trusting certificates from two certificate authorities after “patterns of concerning behavior observed over the past year” diminished trust in their reliability.
The 2 orgs, #Taiwan -based #ChunghwaTelecom & #Budapest -based #Netlock , are among the hundreds of cert auth trusted by Chrome & most other #browsers to provide digital certificates that #encrypt traffic
Two certificate authorities booted from the good graces of Chrome https://arstechni.ca/psvk #certificateauthorities #chromebrowser #Security #Biz&IT #Google #google
crazy, how many #tls #CertificateAuthorities an #Android trusts by default, including institutions of authoritarian states! However, the fact that this list of trustworthy CAs is apparently adopted by default by #GrapheneOS without question makes me a little suspicious. Here is at least a much more restrictive list that has proven to be completely sufficient for me in recent years (in the German-speaking part of the Internet). #unplugtrump
To get away from CAs (#certificateAuthorities) i think web servers and sites ought have a list of other sites that they can vouch for, to bujild a Web Of Vouched Encryption And Names (WOVEAN), and then ppl can, as they type a name, see their WOVEAN address book in real time and see the sites that were used to vouch for the name and public key.
So if my website links to a page then the public key of the site, in beech32 format (the format used by i2p) goes into a list for vouching. The more I use links to a site the stronger the "vouch" for that site.
i suspect that every site will have on average 200-400 sites that they'd vouch for, with 150 of those being strong "vouches" but a fediverse server might end up with tens of thousands of weak "vouches". A fedizen who wants to visit postal.com might just be able to ask and fediserver for all names that start with "po".... if that would result in too big a list then the fediserver can refuse and the fedizen can ask for all results starting with "pos", an extra letter etc. this continues until a mapping of names to B32s can be provided.
this sort of thing might work as part of an addon that i've been proposing to help fedizens crowd serve fediverse media over i2p. Media that they as INDIVIDUALS like and share, or (for improved #search) an INDIVIDUAL FEDIZEN might even share all posts that they can see, which use a #hashtag that they as an INDIVIDUAL have used. This proposed addon i have previously called #DCN (DeCentralized Network), which is ITSELF a tongue-in-cheek rebuttal of the oft-centralized #CDNs.
i2p has a weird and annoying quirk that has made it technically totally possible for the #nameservers to claim a "subdomain" of a site, eg. betty in betty.postal.i2p belongs to a completely different entity to postal.i2p.... but for what i propose, if a browser WANTS to know what the B32 of betty.postal.i2p is then it would HAVE to ask postal.i2p. and it should be possible for a subdomain to have the same public key as the toplevel domain (currently i2p address books dont allow this, which is sort of dumb to me).
really this system could work like the pet naming scheme from @cwebber et al
does this sound compelling? really I don't think i'm outlining anything new here, ive just come up with an acronym, WOVEAN, which might help make the concept more palatable to the average non-techie,,,,
Eg. "Is your site #wovean?"
and i'm combining this with an addon proposal with overlapping functions.
a negative is it may add to the amount of responsibility that webmasters/servers have, but not for i2p natives, as most people who share links in i2p will often share them alongside the b32 link. We WILL however want the webserver to be able to detect when it is sharing a WOVEAN link, so that it might AUTOMATICALLY(?) go into the sites address list? The browser addon would detect that a site is WOVEAN from info in the html head, and ask the viewer if they would like to "Fetch the WOVEAN addresses"?
(If you dont interact I'll recommend to folks not to tag you, in subsequent resposes.)
#encryption #naming #dns #mitm #infosec #sociology @gabriel @nimda @silverpill @fedilist @p @r @i2p@mastodon.social
https://log.pyratebeard.net/entry/20240102-respect_my_authoritah.html
respect my authoritah - learning about ssh certificate authorities
#linux #unix #ssh #security #openssh #certificateauthorities
This is MADNESS.
“If these Qualified Trust Service Providers (QTSP is the name given to a CA that issues QWACs) are all they're cracked up to be, then why can't they just submit to the existing audit/approval process and pass with flying colours? That's not too much to ask, is it?”
A caveat to what I said - there *are* rogue Certificate Authorities out there:
That's not to say rogue CAs are a threat to every system or user equally. As the article points out, they will probably be used sparingly to get at high value targets.
Anyway, take care to audit which CAs you trust in your browsers and other applications.
If you have a very specialised server application it doesn't need to trust 100-odd CAs!
For reference (see above toot and child-toots of above toot) #banksAsKeyStores #banks #keyStores #keyservers #reinventBanks #localConnections #makeBanksBetter #realJobs #eepsites #decentralisation #certificateAuthorities #localJobs
@neil
Tor is really a basic standard today.
We envisage banks becoming key stores, for local onion websites (tor and importantly I2P, which does more than tor). They will also be a place where people can go to be connected to local jobs and to register to vote on local govt budgets.
Among other things.
Gone are the days where people trust a handful of global #CertificateAuthorities.
@cy
We came to that realisation fairly quickly, once we started looking. The #CertificateAuthorities (CAs) are large in number but not enough to be considered #decentralised.
In reality #banks are a logical vendor. You'd visit local banks, and use the certs they sign for local business. They could possibly store #I2P addresses from partner banks they are confident about also.
Our banks are buggered in #Australia though. They're even worse than #SSL…
They are #cloudflare MITM'd!
@selea
Hi Maike,
We were similarly cautious about OMEMO once, then we watched a video about how the DoubleRatchet algorithm works and OMEMO is no longer an issue.
I2P federation is now our biggest hurdle. We don't believe people should have to buy domain names and be beholden to #certificateAuthorities for basic #communication.
@witchescauldron
(2/2)
Its deeply troubling that systems like Tor and i2p have existed for over a decade yet no one has had the guts to promote them strongly. We've had #netNeutrality destroyed, #dragNets built, #techGiants crush #independentMedia, and respected #certificateAuthorities exposed for issuing faulty #encryptionKeys...
What more do we honestly need!?
But when we try to suggest the alternative, many act like its too extreme. The #sleepwalking is real.
Apple chops Safari’s TLS certificate validity down to one year - From 1 September 2020, Safari will no longer trust SSL/TLS certificates with more than a year on t... more: https://nakedsecurity.sophos.com/2020/02/24/apple-chops-safaris-tls-certificate-validity-down-to-one-year/ #certificateauthorities #securitythreats #ca/browserforum #tlscertificates #cryptography #applesafari #webbrowsers #privacy #ssl/tls #google #safari #apple #https #sha-1 #tls
