[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it
From: |
J.B. Nicholson-Owens |
Subject: |
Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it |
Date: |
Sun, 08 Jun 2014 22:40:27 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 |
carlo von lynX wrote:
Yet the things the page recommends are band-aids.
None of the problems you cite are easily fixed. The FSF can't easily get
people to stop using non-free software despite over 30 years of positing
robust counterarguments that rely on unchanging principles--ethics--and
demonstrating doing ethical computing via their own acts. That challenge
doesn't mean it's time to give up on software freedom.
- The recommended solutions for mail and chat
are obnoxious for normal users to install and
will be obsolete in a year or so, since no-one
should stick to mail and chat that does not
protect the social graph "meta" data.
I won't argue that email is sometimes problematic but, as others have
pointed out, email isn't going away anytime soon (a lot of other stuff
depends on email). I'd also argue that decentralized approaches to
electronic communication should not go away because decentralization is
critical to regaining privacy by running one's own servers. I understand
that the FreedomBox hackers are working from this basis as well for the
services that computer will use.
- The idea that all HTTP sites should upgrade
to HTTPS, without at least convincing one CA
to hand out free *.domain certificates, is just
an amazing promotional campaign for the CA industry.
Or one could consider the Firefox add-on that avoids using CAs
altogether. As I'm guessing you're aware, Moxie Marlinspike had a
lecture about the CA problem at the 2011 Black Hat security conference
titled "SSL And The Future Of Authenticity"[Future of Authenticity].
He's also behind the Convergence Firefox add-on[Convergence] which
offers a practical means of avoiding the CA system while still using
HTTPS websites.
- Would be better if the web browsers were supporting
proper pinning of self-signed certificates. Or
supporting cacert.org so people can reasonably get
free certs. They can show the sites with a yellow
box instead of a green one (if Mozilla thinks cacert
is less safe, which in the current situation is a
ridiculous assertion anyway), but leaving the web in
a state of utter brokenness is sick.
Running a CA isn't easy and recommending any particular CA is risking
this part of one's message on the future behavior of that CA. If that
CA's methods fail and browser programmers remove that CA from the
browser, website admins who used that CA are left to pick a new CA. This
is the DigiNotar problem all over again.
- Would be better to fix the scalability of Tor hidden
services so we can use .onion instead of the broken
HTTPS thing. Or if that doesn't work, use GNUnet for
the "light web"
Tor is great but this objection is a bit inconsistent with your
objections above -- it can't be that bad to expect non-technical
computer users to install a browser add-on if you're okay with expecting
them to switch to using Tor.
- Would be better to deploy opportunistic forward
secrecy implemented in JS over HTTP (naif has been
working on that)
Javascript has its own problems for privacy protection. For example, JS
is quite powerful and capable of reading information which few websites
can legitimately justify collecting. JS can track mouse/keyboard
activity, for instance.
- Would be better if campaign websites weren't themselves
collecting personal data before even saying anything
(the first thing it shows is a prompt to drop your
e-mail into a box.. very reassuring).
This is better directed at the people who run
https://www.resetthenet.org/ and not the FSF.
I have JS turned off by default in my browser, so if they're using JS to
hide some or all of the site until you submit an email address I never
noticed that. When I visited https://www.resetthenet.org/ I saw a direct
link to the WebM movie for the site, I was able to read all the text, I
could have downloaded the site graphics, and I was able to scroll
through the site information all without supplying an email address. I
really don't think I missed anything that site has to offer.
The FSF-written webpages which refer to the "Reset the Net" campaign:
https://fsf.org/blogs/community/reset-the-net
https://emailselfdefense.fsf.org/
do not ask for one's email address to read the FSF's take on the matter.
[Future of Authenticity] https://www.youtube.com/watch?v=Z7Wl2FW2TcA
Unfortunately I don't know of another source for this talk than YouTube
which, when used in the normal fashion, needs non-free JS to use.
Therefore I recommend not visiting the site in the normal way but
instead use youtube-dl to download the video, or turn off JS for YouTube
and visit this URL with the "UnPlug" Firefox add-on installed to get the
video.
[Convergence] http://convergence.io/
- Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it,
J.B. Nicholson-Owens <=