[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Forward Secrecy



>> Somehow I bet there will be a move to this rather soon.

> I have my doubts.  Newer SSL libraries have PFS support but whether or
> not admins or hosting providers will upgrade to them (or enable PFS
> ciphersuites) in a reasonable period of time remains to be seen.  For
> example, Dreamhost has no immediate plans to upgrade their server
> infrastructure to include releases of OpenSSL that support PFS.

It could be viewed as an interesting differentiator given the leaks in the
news. Who will, who won't? What's their motivation? And does it matter?

>> Yet note, Dec, a provider simply logging the session keys is still
>> possible.

> On the server side, or in their production networks?

>From the servers obviously, it's just another log item, master/session key...
openssl s_client -connect google.com:https -cipher ECDHE-RSA-AES256-GCM-SHA384
(leaving in the -no_ticket and not using -reconnect as some might not.)

>> Though much costlier for evil pursue that cheap route if there are
>> lots of small mail providers out there for people to use... who
>> says you have to use the big three, or cannot run a mail service?

> running a personal mail service is problematic today for several
> reasons.
> Firstly, the CPU power required to perform decent spam filtering is significant.

No, CPU is cheap and largely sits idle, particularly for limited nodes.

> it makes more sense to buy the services of a provider who factors that in.

You are your own provider, often protected by current provider law.
So run things, a mesh, a node, whatever might be of interest. Noting
whatever contract law you wish to recognize...

> Second, if your server is on a net in CONUS, it can be blackbagged.

As is no different than any other country.

> Third, antispam blacklists are notorious for deciding that an IP is hostile and blacklisting it

Then further develop heuristic science, markov windows, various
local classifiers and distributed consensus subscriptions, non
soley IP based things.

> this is why I stopped running my own, incidentally -
> fewer and fewer people were receiving mail from me

Stop chickening out and relying on sole services, complain according
to your inalienable rights, stay strong and force the market to
incorporate and honor distributed ones.

There's been talk of coordinating a next gen mix mail deployment, tor/i2p
nodes, etc... well those are already sunk costs, same as your own internet
connection is, so give them a domain and call it free/bitcoin email up to 25k
accounts per node. Today that's a few thousand nodes or 75mil people.
Much costlier to produce/demand session keys from 3k nodes around the
world than from say google's 10.

> A few of us have been testing Retroshare (http://retroshare.sf.net/)

Yes, people should openly publish invitations to their technology tests,
joining up in them to qualify the technologies and models would be a
good thing.

We need to break free of this simple 'get it all in one place' mentality.
Start signing your current apparrent node into a global DHT.
Start looking at things like diaspora.
Start distributing services.
Start using anonymization and encryption by default.