- From: Jacob Appelbaum <jacob@appelbaum.net>
- Date: Sat, 5 Dec 2015 03:51:11 +0000
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
On 12/5/15, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > -------- > In message > <CAFggDF2L1==CBMjrTxwsLYxNYaXjUReKOnqGGLc6VNokpZwNEQ@mail.gmail.com> > , Jacob Appelbaum writes: > >>> But SSL/TLS is just about the worst encryption you can bring to >>> that fight, because it is *so* trivial and routine to MiTM that you >>> can find the list-price for the necessary equipment on Google. >> >>This is where we diverge, I suspect. None of that equipment is going >>to work against PayPal or Google or even Tor Project's website when a >>user uses a modern browser as those sites are TLS with cert pinning. > > You're right. > > PayPal, Google and the Tor Project will probably just stop working > in Kazakstan, and either they decide to follow the duly enacted > and valid laws of that country, or they will not be doing business > there. If I was a betting person, I'd bet they continue to work - except Tor Project, I expect that to be blocked if it isn't already. Here is our user graph for the entire year of 2015 for Kazakstan: https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-relay-country&start=2015-01-01&end=2015-12-05&country=kz&events=off > For Kazakstan they *might* be able to shrug, although the track-record > indicates that the first two tend to follow local laws. > > I have no idea what the Tor project will do, but fortunately the > human rights activists I know about has a fallback. I suspect that they will use Tor bridges or another similar bypass method. If they need help, we're always happy to help - please ask them to reach out if we can help. > > But have you followed the political discourse in UK recently ? > > Will PayPal, Google and the Tor Project be able to shrug it off > when the UK government makes a similar move ? People related to the Tor Project have been working to submit evidence with regard to the latest series of bills on exactly this topic. I guess other groups will do the same. >>While many sites can be attacked - it requires a specific on-path >>attacker with access to specific high cost cryptographic resources. > > Dude, it's not high cost. Kazakstan probably didn't even pay a > million dollars for their kit. I'm sorry if I was unclear: The high cost is a cert chain that works on everyone without installing a root. The gear for MITM is of course probably the cost of a few high quality tires on a tractor. >>> Deploy *that* with good key-management tools[1] and the politicians >>> will face the much more impalatable choice of "Block or Pass". >> >>We can't choose a single tactic [...] > > That response is a little bit ironic, coming from one of the loudest > "TLS everywhere" advocates... Surely you're aware that I'm working on many different angles at the same time - exactly in many of the areas that you suggest. All the best, Jacob
Received on Saturday, 5 December 2015 03:51:41 UTC