[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 31/08/13 15:52, Simon Waters wrote: > Interesting, but I'm not sure the premise on PGP versus TLS. The PGP interfaces > vary greatly in how much is exposed to the user, most are relatively straight > forward. However if you want encryption to provide privacy you have to use it > right, and I suspect that will always require some end user knowledge. Admittedly > most users lack that knowledge for TLS myself included. Agreed - philosophically I totally agree with the poor fellow who obviously just wants to push back a little against the steady erosion of perceived privacy, but technically, he's way out of his depth and it shows. He complains about an "expectation of privacy", regardless of contracts and I quote: "The service’s terms of use may say what they want: Our expectation is that this kind of communication is private." Wow, is he for real? When you sign up for Skype, FaceBook, Hotmail, Google anything, etc, etc, that 50 pages of abstracted legalese he clicks straight through is exactly that, a damn contract: it doesn't matter what he "expects"! All of these companies are expressly providing a free service in exchange for the scanning, recording and mining of your personal data and the financial exploitation of that dataset for targeted advertising, etc. Teenagers understand this, I don't see why he doesn't. He's basically denying reality, and not doing himself any favours. I also think you're (i.e., Simon) right about PGP/GPG these days - it's still not exactly intuitive, but Seahorse and other utilities do make it pretty damn easy to just click on a couple of buttons and set yourself up a nice shiny new keypair and it's all pretty well integrated as well with various daemons automatically offering to lock/unlock your keys and so on. It's definitely not the challenge it used to be. And he is totally, utterly deluded when he starts waffling about SSL. It's painful to read to be honest. SSL is NOT easy, trivial or in any way "seamlessly integrated behind the scenes". He's apparently not heard about CRIME or BEAST. Or the NSA. Or key escrow. Or SSL stripping. Or the fact that all government agencies have access to the master keys issued by any CA. Or browser implementations vs server implementations. In short, he should probably never mention SSL in any technical capacity whatsoever... *rolls eyes* The only reason SSL works at all as intended is because poor admins like me have to deal with the hideously complicated implementation details of stuff like crypto algorithms and cipher chains, which are super-easy to make a tiny mistake in and ruin the whole lot, and keeps us awake at night worrying about every little detail. I mean, look at the state of this: ghost@failbot:~/SRC$ grep SSLCipherSuite /chroots/MRE2/etc/apache2/mods-available/ssl.conf SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 Yeah, it was really trivial to get that sorted out properly (this is currently a testing setup for properly brutally secure SSL - configured for no weak protocols, honouring CipherOrder, self-signed certs, no insecure renegotiation, perfect forward security enabled). So I don't know what crack he was smoking when he was babbling about SSL being trivial and ubiquitously seamless behind the scenes, 'cos it isn't. He's obviously only used, and never configured it. But as I do totally sympathise with his general argument, just not any of the technical details, I shouldn't give him that hard of a time. He's just another warning I suppose that as much as you may expect or like privacy, on the modern internet you'll need to work for it because there is a huge, virtually omnipotent and omniscient state apparatus with a vested interest in you not having any. Harsh, but true. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq