yeah. this is where oakpacific is going with that link. i might take the trouble to investigate this route further today, because if it can be done *without extra dependencies*, then it's worth the effort to get it right now.
i'm just a bit worried it might need something crazy like an NSS build.
oakpacific
waxwing: well, from the place i get the link it doesn't
it's a common tool
but
i don't think server certs are stored locally?
waxwing
" Most applications do not use the shared database by default, but they can
be configured to use them. For example, this how-to article covers how to
configure Firefox and Thunderbird to use the new shared NSS databases:"
i vaguely remember this point. Firefox can be rather funky; e.g. on Windows it builds its own modified version of NSS.
i'm not saying i know what's going on, i don't - but with something like this, don't get your hopes up. The closer we get to keeping the browser's PKI, and use it in the exact same way as the browser, the better.
oakpacific
why does it insist on exporting keys as well?
private keys i mean
waxwing
(actually certutil was the one i looked at before, not pk12util)
yes oakpacific it seems to be all about private keys. maybe not what we want.
oakpacific decides to work on padding again to see if the need for third-aprty check can be eliminated
i'm talking about the polling and downloads that windows does in the background
waxwing
no sure, i knew you weren't talking about that, just wondering what's better.
dansmith_btc, good point. for global accessibility. wikipedia can be problematic in china
dansmith_btc
oakpacific, i believe there is no clever reduction for P^e/S^e
waxwing
P^e / S^ e = P^e * (S^-1) ^ e = (PS^-1)^e (with mod n mod n modn liberally sprinkled around)
which may be helpful or utterly useless i guess
oakpacific, any of the ones we discussed blocked? twitter is blocked, right.
wikipedia i *think* is not. or maybe partially.
so yeah maybe should go with mozilla, gnu, debian - i don't think this kind of thing is blocked anywhere, even though apparently visiting linux forums makes you a terrorist in some circles.
oakpacific
you can't take that standard i guess, otherwise, how would you cover iran, syria and nk?
waxwing
oakpacific, overall you're probably right. but it would be nice to have a list that everyone could use.
oakpacific
just ignore the censorship, localization can always be done by the locals
people have different perceptions of trust, it's really difficult to establish a common set of oracles
waxwing
yes. you're right. and btw, it's nice to see you pay attention to the needs of the North Korean tlsnotary users :)
oakpacific
but to be my own devil's advocate, hearn's insight is particularly sharp
hearn
which insight is that?
oakpacific
apple and microsoft basically penetrate every corner of the world
corps like them
waxwing
lol be careful hearn , you might cut yourself :)
hearn
blocking google, microsoft and apple is really hard for basically any society that has computers because our devices contact their servers so frequently in the course of normal operation
iran tried to block gmail and the government got flamed so hard by the iranian people they unblocked it a short time later
waxwing
china is cleverer than that
they just made it utterly crap
hearn
well china cares less and has homegrown competitors for everything
iran does not have a local equivalent to web search or gmail. china does.
waxwing
absolutely
hearn
even so i guess china cannot realistically block windows update
oakpacific
speaking of local equivalents
hearn
given their dependency on windows
oakpacific
chinese equivalents of gmail are utterly crap. like this : http://ym.163.com/
i guess you can see the problem without reading Chinese
waxwing
the most interesting thing about the chinese approach to internet censorship is how they applied the idea of injecting noise into the signal, rather than just switching it off.
oakpacific, no ssl?
hearn
western equivalents of gmail suck too :)
oakpacific
waxwing: it's even worse
hearn
lol
even better. try doing https yourself
oakpacific
no ssl on the login page
but give you a tickbox of "enabling ssl"
hearn
Philip Sheldrake
oops
huh interesting
oakpacific
which is indeed enabled for the transmission of mailbox content, if you tick
hearn
the new chrome ssl error page allows me to select text, but i cannot copy it
waxwing
do i dare wireshark it oakpacific ? :)
hearn
oakpacific: oh yeah lol. at least it's ticked by default.
oakpacific
waxwing: sure why not
hearn
oakpacific: perhaps it's optional so people who travel outside the firewall can still read their mail.
oakpacific
hearn: well...
i maybe fine with no ssl, but i won't trust my email to a bunch of people who knows nothing about it at all
and *pretends* to know
waxwing
back in a bit.
waxwing has quit
oakpacific
hearn: how do you know? it could totally be the middle man enabling it by default :)
hearn
haha
true!
oakpacific
some rumors i heard recently are even worse
waxwing joined the channel
waxwing has left the channel
waxwing joined the channel
occasionally there are Chinese flight passengers who receive scammy SMSes about the change of their flights, and directing them to phishing sites
but every personal detail in the SMS is correct, and they are shocked
so the rumor has it that since lots of Chinese agency sites simply use no https, corrupt local ISP workers simply hijack the connection and sell the personal infos to the scammers
oakpacific, are you busy setting up a nice hack based on that? :)
meanwhile, i'm starting to fix things up based on hardcoded pubkeys. i think we should modify the peer handshake so that auditee passes only domain name of randomly chosen reliable site.
this will be appropriate for hardcoded or future better versions.
oakpacific
waxwing: as i said, i am trying again to see if we can do anything with the padding
waxwing
oakpacific, oh yeah. well i wish you luck getting rid of the zeros. I somehow convinced myself that trying to solve that was equivalent to solving FHE :)
but you are more imaginative than I.
so you weren't impressed by my getting passwords in plaintext over the wire? Well, I guess 'impressed' isn't the right word :)
oakpacific
waxwing: tks
waxwing
Makes your stories about China all the more plausible.
oakpacific
waxwing: being from China, you just kind of get desensitized to this sort of things, these are just commonplaces
hearn
lol@webapps
protonmail.ch, the cool new encrypted webmail service
"Creating account ...... this may take up to five minutes and freeze your browser"
great
waxwing
they should go back to smashing protons together :)
exponent is 2 bytes? is that right? or is it 4.
oakpacific
hearn i would like to kindly mention this also comes from my countrymen :)
waxwing: which exponent? 65537?
hearn
oakpacific: what does?
waxwing
yeah sorry that. rsa.
oakpacific
hearn: protonmail
hearn
oakpacific: so you're swiss living in china?
oakpacific
waxwing: i meant protonmail's authors are Chinese
sorry was re: hearn
hearn
oh, they are?
oakpacific
hearn: yeah
they are Chinese living in Switzerland
hearn
Andy Yen
Wei Sun
Jason Stockman
oh yeah :)
nice
it looks nice anyway
clean. refreshing. looks cleaner than gmail
the two password solution is a good one
oakpacific
hearn: gmail used to be clean....
hearn
although - The connection uses TLS 1.0. The connection is encrypted using AES_128_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
not using ecdhe
well partly it's clean because it's VERY basic
oakpacific
waxwing: interesting is it, 2 bytes cover everything from 0 to 65535, just fall short of 65537
hearn: right basic, that's what i see as a fundamental flaw of server based encrypted email
waxwing
oakpacific, oh it's that way round. thansk for doing the arithmetic for me :0
oakpacific
you just can't search anything
which is not really what people would usually expect
hearn
i think HTML5 as a way to do robust encryption apps is a bust, tbh