- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
You must log in or register to comment.
I think that criminals will try and get those certs. Do big time damage to the EU and hopefully stop them pushing such bullshit…
Some hacking is ethical…
In fact most hacking is ethical. The public just doesn’t hear about it.
Tell that politicians xD
Someone was prosecuted for hacking bc they hit F12. Lmao, never gonna get over that.
I know that story, sad and funny altogether: https://arstechnica.com/tech-policy/2021/12/missouri-planned-to-thank-security-journalist-before-governor-called-him-a-hacker/
Ah, looks like he was never prosecuted after all, but the whole situation was still a horrible mess.
Thats an older source, saw some newer on reddit last week. Try to find it. But nothing happened to our hacking hero xD
Until they pass a law making it super duper no-no bad for anyone but the government to use this power.
… cause that’s how the internets works, it’s okay when the government does it, and they are able to control everything on the internet through regulations. Didn’t you know that?
Like regulations ever helped on the internet.
deleted
Tbf the politicians usually either hire Halliburton or have one of the technically literate agencies handle this kind of stuff.
This is from same entity aspiring to hold big tech responsible?
It’s like every 2 days there is a catastrophic law for privacy introduced in the EU. Last time with E2EE now with HTTPS. It seems that the EU would agree to stop bit tech from spying but they don’t want anyone to hide from them.
Centralized CAs were and are a mistake. HTTPs should work more like ssh-keys where the first time you connect to a website it’s untrusted, but once you have validated it the website you want, it never bothers you again unless the private key changes. Private key rotations can be posted on public forums, or emailed, or any number of other ways and users that don’t care can ignore the warnings like they do anyway, while users who DO care, can perform their own validation through other channels.
The most important aspect is that there is no “authority” that can be corrupted, except for the service you are connecting to.
There is no way a user can know the website is real the first time it’s visited, without it presenting a verifiable certificate. It would be disastrous to trust the site after the first time you connected. Users shouldn’t need to care about security to get the benefits of it. It should just be seamless.
There are proposals out there to do away with the CAs (Decentralized PKI), but they require adoption by Web clients. Meanwhile, the Web clients (chrome) are often owned by the same companies that own the Certificate Authorities, so there’s no real incentive for them to build and adopt technology that would kill their $100+ million CA industry.
There is no way a user can know that their traffic hasn’t been man-in-the-middled by a compromised CA either. And why is it “disastrous” to trust a website after you have cryptographically verified its the same website you visited before? It would present the same public/private key pair that you already trust.
Where does the initial cryptographic verification come from? I’m not arguing that you can’t pin certificates.
That’s where the SSH analogy comes from. On the initial connection you get the signature of the web-site you are trying to visit and your browser trusts it from then on. If something changes later, then the scary warning comes up.
I hope for you, that you don’t SSH into any random machine and just import their cert.
Usually you know the machines you are trying to connect to. That gives you the ability to add their cert to your trusted hosts before connecting the first time. So for browsing the WWW this makes not much sense, since you connect to way too many unknown hosts. It would create a ‘red is green’ mentality where users just import any unknown cert.
The only similarity i see, which makes sense, would be e-banking and such. The bank could send you their certificate with the login credentials by post.
Why? There is absolutely zero risk in SSHing into “random” machines especially since I’m using public ssh-keys. Of course the first time I connect to a machine it’s going to be untrusted, but who cares? I’m using SSH to ensure others can’t sniff my traffic.
If i want to sniff your traffic, ill set up another machine as MITM attack.
I guess as long as you stay inside a secure company network, it wouldn’t be that bad. But if you go through the WWW, my advice is to manually add trusted hosts.
No one can remove all risk but the security threshold between intercepting an initial connection and compromising a CA are vastly different. The latter would be much more difficult to pull off which is why we use them. Sounds like this EU rule is going to put a ceiling on that though.
making sure a small part is very secure vs having to verify every domain I visit? yeah, let me keep using the current system… are you aware of the amount of domains you connect to every day?
Also, I might be wrong, but if I remember correctly browsers/OS-es tend to come with a list of trusted certificate keys already, which makes adding compromised keys to that list not as easy as you suggest. (I don’t even know if that happens or if they just update as part of security updates of OS/browsers)
The EU is also run by legacy plutocratic elites desperate to retain their power.
The rich over there is just as tasty.
Forget the guillotine, we need to roast them live and eat the rich
/s but is it?
Here’s how to massively increase your self confidence, character, and be virtually impervious to depression. Privacy is an essential Human need. We feel insecure with no privacy as it should.
Refuse to give any data about your digital or physical self unless when absolutely, undoubtedly, justifiably neccessary, especially to anyone that allows third parties to snoop you, that could be anyone/anything! Keep telling yourself, not only will I not let Big-Tech/Gov breach my privacy and collect data about me and monetize me for free, I’m not for sale at any price.
I am not for sale at any price.
I’M NOT FOR SALE AT ANY PRICE. It will be hard for me to do, much of my behavior will need to be changed, but I am worth it.
The EU is starting to look worse than the US. Sure the NSA is scary but at least they work under cover
It may be a stupid question but… what will prevent us from downloading a US browser ?
As I understand the article says the article was finalized on November 8, 2 days ago. Do we know what was the outcome?
deleted by creator
nato article?
