Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it

[J.B. Nicholson-Owens]

carlo von lynX wrote:
> Yet the things the page recommends are band-aids.

None of the problems you cite are easily fixed. The FSF can't easily get 
people to stop using non-free software despite over 30 years of positing 
robust counterarguments that rely on unchanging principles--ethics--and 
demonstrating doing ethical computing via their own acts. That challenge 
doesn't mean it's time to give up on software freedom.

> - The recommended solutions for mail and chat
>    are obnoxious for normal users to install and
>    will be obsolete in a year or so, since no-one
>    should stick to mail and chat that does not
>    protect the social graph "meta" data.

I won't argue that email is sometimes problematic but, as others have 
pointed out, email isn't going away anytime soon (a lot of other stuff 
depends on email). I'd also argue that decentralized approaches to 
electronic communication should not go away because decentralization is 
critical to regaining privacy by running one's own servers. I understand 
that the FreedomBox hackers are working from this basis as well for the 
services that computer will use.

> - The idea that all HTTP sites should upgrade
>    to HTTPS, without at least convincing one CA
>    to hand out free *.domain certificates, is just
>    an amazing promotional campaign for the CA industry.

Or one could consider the Firefox add-on that avoids using CAs 
altogether. As I'm guessing you're aware, Moxie Marlinspike had a 
lecture about the CA problem at the 2011 Black Hat security conference 
titled "SSL And The Future Of Authenticity"[Future of Authenticity]. 
He's also behind the Convergence Firefox add-on[Convergence] which 
offers a practical means of avoiding the CA system while still using 
HTTPS websites.

> - Would be better if the web browsers were supporting
>    proper pinning of self-signed certificates. Or
>    supporting cacert.org so people can reasonably get
>    free certs. They can show the sites with a yellow
>    box instead of a green one (if Mozilla thinks cacert
>    is less safe, which in the current situation is a
>    ridiculous assertion anyway), but leaving the web in
>    a state of utter brokenness is sick.

Running a CA isn't easy and recommending any particular CA is risking 
this part of one's message on the future behavior of that CA. If that 
CA's methods fail and browser programmers remove that CA from the 
browser, website admins who used that CA are left to pick a new CA. This 
is the DigiNotar problem all over again.

> - Would be better to fix the scalability of Tor hidden
>    services so we can use .onion instead of the broken
>    HTTPS thing. Or if that doesn't work, use GNUnet for
>    the "light web"

Tor is great but this objection is a bit inconsistent with your 
objections above -- it can't be that bad to expect non-technical 
computer users to install a browser add-on if you're okay with expecting 
them to switch to using Tor.

> - Would be better to deploy opportunistic forward
>    secrecy implemented in JS over HTTP (naif has been
>    working on that)

Javascript has its own problems for privacy protection. For example, JS 
is quite powerful and capable of reading information which few websites 
can legitimately justify collecting. JS can track mouse/keyboard 
activity, for instance.

> - Would be better if campaign websites weren't themselves
>    collecting personal data before even saying anything
>    (the first thing it shows is a prompt to drop your
>    e-mail into a box.. very reassuring).

This is better directed at the people who run 
https://www.resetthenet.org/ and not the FSF.

I have JS turned off by default in my browser, so if they're using JS to 
hide some or all of the site until you submit an email address I never 
noticed that. When I visited https://www.resetthenet.org/ I saw a direct 
link to the WebM movie for the site, I was able to read all the text, I 
could have downloaded the site graphics, and I was able to scroll 
through the site information all without supplying an email address. I 
really don't think I missed anything that site has to offer.

The FSF-written webpages which refer to the "Reset the Net" campaign:

https://fsf.org/blogs/community/reset-the-net
https://emailselfdefense.fsf.org/

do not ask for one's email address to read the FSF's take on the matter.



[Future of Authenticity] https://www.youtube.com/watch?v=Z7Wl2FW2TcA 
Unfortunately I don't know of another source for this talk than YouTube 
which, when used in the normal fashion, needs non-free JS to use. 
Therefore I recommend not visiting the site in the normal way but 
instead use youtube-dl to download the video, or turn off JS for YouTube 
and visit this URL with the "UnPlug" Firefox add-on installed to get the 
video.

[Convergence] http://convergence.io/