Post 9l2uGaN9OtHDmtlW3E by 61@en.osm.town
(DIR) More posts by 61@en.osm.town
(DIR) Post #9l0YO739iaHnr2g2ng by WPalant@infosec.exchange
2019-07-19T10:52:05Z
1 likes, 1 repeats
So here you have the full picture now: #PGP doesn't work and never will. Stop recommending it, stop organizing key signing parties, you aren't helping anybody doing that. Just put it to grave instead.#RIPPGP #crypto #infosechttps://latacora.singles/2019/07/16/the-pgp-problem.html
(DIR) Post #9l0YO7pMpKqoGZEXwm by leip4Ier@infosec.exchange
2019-07-19T12:46:33Z
0 likes, 0 repeats
@WPalant what about using pgp to sign git commits? there's no other way as far as i know. better than nothing?also i can hardly imagine linux package managers moving away from pgp, sadly...
(DIR) Post #9l0ax4G0IFEREjTxXk by WPalant@infosec.exchange
2019-07-19T13:15:17Z
0 likes, 0 repeats
@leip4Ier Is it stupid if I never understood the point of signing Git commits? Is anybody ever validating signatures on commits found in the project's official repository?As to Linux package managers - yes, they are heavily invested into PGP, for no good reason. I doubt that anybody really checks the signing key when a repository changes theirs - PGP key servers are no real help here. If anything, key validation should be taken out of user's hands (e.g. centralized by distribution).
(DIR) Post #9l0dCwAAM3JSftRkQ4 by leip4Ier@infosec.exchange
2019-07-19T13:40:33Z
0 likes, 0 repeats
@WPalant i just realized that it's something i thought is good without thinking it over. indeed, nobody is gonna secretly rewrite a git repo, end users cloning repos are unlikely to check the signatures. so the only use case i can imagine is when a three-letter agency tries to push a commit using the name of a not-so-active contributor, but it doesn't sound likely either. easier to use law enforcement to make that person do it themself...
(DIR) Post #9l0dGVQRhoeKuNlMye by leip4Ier@infosec.exchange
2019-07-19T13:41:13Z
0 likes, 0 repeats
@WPalant i wanted to sign commits before, but didn't wanna deal with gpg, so i never actually configured it :x
(DIR) Post #9l0dW5Rw3FoyyjtCPg by leip4Ier@infosec.exchange
2019-07-19T13:44:02Z
0 likes, 0 repeats
@WPalant as for package managers, i don't know about others, but pacman uses a web of trust, keys of main developers are stored in a separate package and i used to think that it doesn't involve keyservers. turns out it does, but i think rather rarely? so the repo key never really changes, it's a slow rollover, one dev leaves, another joins, all sign their key. user doesn't have to choose whether to trust the key or not.
(DIR) Post #9l1AzumpYdPx5CUfey by r000t@infosec.exchange
2019-07-19T19:59:11Z
0 likes, 0 repeats
@WPalant PGP: Because I want to pretend to be a secret agent, but I also want to share keys every time I want to send a message to someone.
(DIR) Post #9l1YFX8XYKobJU44YK by varx@infosec.exchange
2019-07-20T00:19:43Z
0 likes, 0 repeats
@r000t @WPalant I actually have used PGP a couple times this month, to share a secret key with someone remotely over a channel I could only reasonably assume was safe from MitM. It was a little painful, but it worked....and yes, in both cases we had to manually do a key exchange first. >_< I did appreciate that it existed, though.
(DIR) Post #9l1YK0AvWwJSX6JOEK by r000t@infosec.exchange
2019-07-20T00:20:31Z
0 likes, 0 repeats
@varx @WPalant Yup. Routine for tech types, but for journos and other people who rely on it for secrecy, but aren't necessarily computer people, it's outright dangerous (a mistake can get you killed)
(DIR) Post #9l2k6BVvy9gCFmH8sq by WPalant@infosec.exchange
2019-07-19T10:52:30Z
0 likes, 0 repeats
The scary thing: some products in need of #crypto such as password managers are being built on top of #PGP because that's supposedly easier to get right. But it's not. Looking at #Passbolt for example, there are definitely better way to do public key crypto.#infosec
(DIR) Post #9l2k6BoiqIhzC349AW by m4iler@infosec.exchange
2019-07-20T14:07:12Z
0 likes, 0 repeats
@WPalant Looking at passbolt, it looks like pass, but shitter and paid.Currently happy with pass for password storage, because I can easily merge two password repos independently.It's nice.
(DIR) Post #9l2kZa65eHCYtXCkCG by m4iler@infosec.exchange
2019-07-20T14:12:31Z
0 likes, 0 repeats
@WPalant Also, quite interested in what I could use instead of PGP. Signal's nice, but I want to not depend on anyone else's server.I believe e-mail is fine, as horrible as it may be. Public key crypto might make it better
(DIR) Post #9l2kqEhgRWT9SyjL4S by WPalant@infosec.exchange
2019-07-20T14:15:32Z
0 likes, 0 repeats
@m4iler Passbolt is open source software, you can use it for free if you don't need support. However, it's mainly targeted at organizations, not individual users, so not really comparable to pass.
(DIR) Post #9l2la8oqeZFAXLyFMW by WPalant@infosec.exchange
2019-07-20T14:23:49Z
0 likes, 0 repeats
@m4iler You always depend on someone's server. Even if you self-host email, your communication partner most likely won't. If their server goes down or decides to blacklist your email server (happens way too frequently), you won't be able to communicate.You could theoretically also self-host a Signal server, but I don't think that you really want that. More like a less centralized system which just happens to work and be secure - I'm not currently aware of any.
(DIR) Post #9l2uGa8GIFMp2incqO by 61@en.osm.town
2019-07-19T15:18:05Z
0 likes, 0 repeats
@WPalantSo *here* you have the full picture: the linked blog post is a load of random wingy twaddle. Apparently from a “security” company(?) too precious to bother with such things as legal name or registered office details.
(DIR) Post #9l2uGaN9OtHDmtlW3E by 61@en.osm.town
2019-07-19T15:18:35Z
0 likes, 1 repeats
@WPalantWe can all sit here and criticise all day.Meanwhile, #GPG has been painstakingly and mostly single-handedly maintained all these years thanks to the efforts of a single person. Mostly using his own money plus whatever little public funding he could get from #German administrations (it was only last year that Google coughed up €100K to help out).What I say: fix it, pay someone to fix it or stop looking stupid and shut the fuck up.