Bryan Lunduke is a user on mastodon.rocks. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
@BryanLunduke audio is kinda funny... sounds like a studio mic without a proper recording room :v

@BryanLunduke I think you missed a point that resolves (or should) the false Certificate problem.

The solution has existed from late 2016 but it's recently becoming more adopted by major players, (I hope, alteast.)

I was actually speaking to cloudflare's engineers about its implementation recently.

This doesn't stop the other issues, but it's good thing to note for future reference: en.wikipedia.org/wiki/DNS_Cert

@BryanLunduke and DNSSEC + CAA in theory _completely_ overrides your points.

This is of course, in theory.

But alteast whatever three letter agency would have to ask themselves: "Is this worth it?"

@BryanLunduke certainly an interesting take. I think the largest problem is the hashing algorithms. We do need a community built one. That being said, true randomness is near impossible to do using computer logic. Dunno if you've seen Tom Scott's video on the matter at Cloudflare. Worth a watch

hooktube.com/watch?v=1cUUfMeOi

@octobyte @BryanLunduke if it's already on the internet, why not have it seed from random.org, it could even alert that random.org didn't connect

@BryanLunduke When you take your own HTTP website as an example and say it is as secure as an HTTPS one, it is simply wrong : HTTPS protects you from tampering. Anyone who visits your website (or any other HTTP site) is taking the risking of receiving an altered version, maybe with malicious code added.

It's too bad you didn't really discuss this issue :/

@lhark @BryanLunduke 's point is that https no longer (if ever) stops this. All it does is tell you that *maybe* that's really the site you wanted to go to.

That said, broken encryption is better than no encryption. Nothing stops the post office from opening and resealing envelopes I mail.

@BryanLunduke Mr.Lunduke, ranting about HTTPS is not an excuse not to implement it on your domain :P You don't get the speed benefits of HTTP2 that way.

@BryanLunduke So as a direct response, currently https vs http between an envelope and a post card. Nothing stops someone from opening the envelope, but at least you can see when someone whose terrible at it did so.

@BryanLunduke here's why: news.ycombinator.com/item?id=11781915
@jeff why dad, why do you fall for low hanging bait?
@BryanLunduke never once in his life designed a protocol, why should you listen to a moron like that?!?
@miwilc ITT answered beautifully
Nothing like WoT broken to the core
どうして、神、どうして?.jpeg
@benis @BryanLunduke @miwilc https isn't broken, the CA infrastructure that props it up provides a false sense of security, it's snake oil.
@jeff but @miwilc you and I know this.
DANE rfc7671 has existed to mitigated this for 3 years now.
Adoption is the problem, not a protocol for behaving as designed.
@BryanLunduke
@benis @BryanLunduke @miwilc something like namecoin provides a great promise for a dnssec/CA alternative. abolish the CA cabal NOW.

@BryanLunduke I feel like having to yell at you again 😉

Sure, some points in your video are correct, others are way oversimplified or plainly wrong.

1. Bad encryption is always still better than no encryption. full stop.
2. Not HTTPS is dangerous, NSA et al. & backdoors are.
3. Your website not delivering https enables MITM attacks with Payload injections permanently infecting users PCs. HTTPS on your website is NOT pointless.

@BryanLunduke

I'll weigh in with my 3 pence worth

The danger of HTTPS is the lack of education in that that it is only one link in chain & over reliance on the green lock is misplaced

I relate HTTPS and HTTP to having a conversation in your own home and in a Bar.

At home you have a reasonable expectation of privacy & confidence in your environment, yet someone may still overhear or see the discussion taking place

In a bar an acquaintance could easily eavesdrop & disseminate the conversation

@BryanLunduke

Example:

I work for a major UK retailer on the "product Q&A team"

While searching an answer, I located a Fake Clone site of my employers.

The Domain was similar official site. It ranked ranked higher in google search results.

It was an EXACT clone, in every sense, in fact it was "better" as was quicker & more responsive

My colleagues & manager did not notice it was fake - until I listed a few things, all commented it had the green-lock so must be ok..

The site was reported

@JaseEW @BryanLunduke
Unless you have Alexa, google, Siri, a powered up laptop or a smartphone in your home...

@DistroJunkie @BryanLunduke

That's part of why I added "yet someone may still overhear or see the discussion taking place" 😀

@BryanLunduke in all of this negativity, I won't focus on HTTP vs HTTPS as far as protocols go. But I had no idea the the government had been involved. If there is one thing we've learned, that is that we can't actually ever trust a secretive government agency.

That said, after delving in deep on the exploitation side of the internet, I can justly say that it really doesn't matter anymore if you use HTTP or HTTPS. I mean some say that at least there is some sort of encryption, but that...

@BryanLunduke ... doesn't actually matter anymore. Thanks to the NSA/Govt-in-general it doesn't matter to the common black/grey hat if it is HTTP or HTTPS. The "S" doesn't change the ease of the exploitation very much. It just changes the method... sort of. I'm just saying, if you insist that you/your company needs the "S", you are misguided by what that means. To the black hat, it is the different between eating an apple and eating an orange. The method is different but you get the same results

@BryanLunduke Sorry, one more stream of consciousness.

@BryanLunduke is right in that the "S" is dangerous since it actually provides almost no benefit of security. It is an illusion. That is what the black hats rely on. That is probably 90% of an exploit/injection/whatever. Gaining trust is the only really essential tool in a black hatter's tool bag. The "S" stands for trust and that is why it's dangerous.

Don't trust the NSA/Govt/Google/Facebook/Anyone. They all lend to your false security.

@BryanLunduke One minor complaint with the video: HTTPS isn't necessarily end-to-end encrypted, it's status that way depends on context.

For example if your site was running HTTPS it would be end-to-end encrypted because the conversation's between us. But Facebook using HTTPS doesn't make it end-to-end encrypted as the conversation is between your aquintances using the site, not Facebook itself.

But then again, that's part of the point your video. HTTPS is only part of the solution.

@BryanLunduke And no, I'm not attached to HTTPS. In many (most) cases it's not much better then HTTPS.

I'd much prefer to be using a technology like IPFS, that has both caching and end-to-end encryption!

@BryanLunduke Wow Bryan - you're better than this. I think you just got a bee in your bonnet over the NSA's involvement, even though the algorithms will have been independently audited.

Faking a cert is only easy if you obtain the key, or you have a dodgy CA. Either way, HTTPS stops casual eavesdropping on traffic, which is important.

I think this video is irresponsible at best and dangerous at worst, and I reiterate, you're better than this fear mongering click-bait