Lunduke drinks the kool-aid, declares HTTPs dangerous

Kool-aid is delicious.

2 Likes

Since when ? You could not even give us that as kids… we just did not do kool aid.

I prefer to not lock my house because the lock company has a copy of the key.

19 Likes

:confused:

click bait title, first proposition is full of holes.

Not sure what the angle is these days but i wish he wouldn’t do it.

Certificates expiring is dangerous? Really.

Apparently when you get a certificate your job is done and you never renew them?

Who knew. Not sure why my server keeps renewing my letsencrypt certificates. Renewal is good in these cases.

Fake certificates are easy to make…

No their not.

He seems to suggest that its as trivial as “spoofing a hash” of a CA i presume to make fake certificates… source? example?

SHA

Apparently because it was designed by the NSA it cant be trusted?

I’m done, this is ridiculous paranoia, and jumped to conclusions with no sources or examples. What a horribly researched video to put out, makes the community look super good. I’m wondering what the purpose of that video is? Just for the money and clicks and attention? Or is he just oblivious.

:frowning:

22 Likes

This should have been on Lunduke files. (crazy ramblings show)

So seeing as the thread opener doesn’t have a description what is tl;dr of that video?

2 Likes

tl:dr

EDIT: Also the lock company MIGHT have a copy. But probably not.

5 Likes

Aren’t they all?

I know he’s a friend of L1T and started Jupiter Broadcasting, but I’ve never been a fan of the guy. He just spews nonsense with a “These are just my opinions” disclaimer so no one can call him out.

5 Likes

This is just a copout, that might be fine if its just a video of your opinion about something that happened say, but when your saying you cant trust SHA because the NSA designed it, or that HTTPS is dangerous, you better support your claims with researched facts.

This is one of the worst videos I’ve seen him make.

8 Likes

Agreed. Usually his videos aren’t bad. (Unless it’s Friday)

Considering he has some fair prominence, this is a very disappointing video. I hope it doesnt influence anyone new to this stuff.

There isn’t really much other Linux video content, so his comes up a lot. Maybe there should be a counter video :stuck_out_tongue:

2 Likes

It’s not disappointing, it’s downright dangerous.

4 Likes

Agreed. I might try and go through and make counter points if i can, just needs some time to research and provide suitable evidence. (what a novel concept)

5 Likes

I mean he does bring up some valid points but what would concern me is who is allowed to be a CA these days and that doesnt just affect HTTPS. There is a fair bit of tin foil involved here for sure.

I wouldn’t bother. The infosec community is laying into him so someone will have something soon. I’ll post something when I see it. I’ve been waiting for the registry to lay into him.

1 Like

I’m going by his logic. But yea agreed.

There’s fairly good controls on this. A CA making a mistake can and has ended their business. Symantec as a CA for example is no more, their few mistakes has lead to the gradual district for their root certificates and exclusion from use.

1 Like

Some decent points from a comment on his video

Author: Miha Frangež

  1. Certificates expire: Yes, domain names expire too. You don’t want the previous owner of your domain to be able to spoof traffic, do you? Also, if your certificate is stolen, it can only be used for a limited time.

  2. It’s easy to fake certificates: Is it? I wouldn’t call essentially hacking a CA easy. Sure, there have been bugs in their software, but that isn’t an inherent flaw of HTTPS.

  3. SHA was developed by the NSA: Bryan, oh, Bryan… This is borderline paranoia. Not everything made by the NSA is bad (SELinux, etc.). The mathematics has been checked again and again. Last time the NSA tried to put backdoor in encryption (the elliptic curve thing) it was found by independent researchers.

3.1) The NSA can read our encrypted traffic. You call this a fact, but it is simply not true. All the cases (that I know) of ANY spy agency bypassing HTTPS was by forcing a CA to issue a fake certificate or by forcing the site to give them the real one. An inherent problem of the CA model, yes, but it isn’t a backdoor in the way you describe it.

3.2) The NSA wrote our random number generators: You can use whatever RNG you want. Uranium, kittens in a box…hell, Cloudflare uses a wall of lava lamps. I don’t think the backdoored RNG is still being used anywhere.

  1. Adding complexity: Encryption is, by definition, complex. Yes, plaintext has less complexity. But if the added complexity makes HTTPS 20% less secure (and it doesn’t), that’s still 80% more security than plain text.

  2. No reason to encrypt lunduke.com: The security isn’t needed, true, but privacy and authenticity are. One could, for example, MITM me and add an article, supposedly by you, talking about a really cool program that actually has a trojan in it. Or, in the privacy case, your site might be labeled as ‘extremist’ by some governments. I wouldn’t be suprised if your site is already on one of those NSA keyword watchlists. HTTPS, along with DNSSEC, would leave no indication, that someone visited your site (assuming you don’t self-host, but at that point you have bigger problems). [this isn’t entirely correct since initial SSL handshake contains hostname in clear text]

7 Likes

Still trying to consider his points…but his points on the government developing some of the methods does present valid concerns to me as i am not likely to trust government anything. I am of the mind that better security is good but consider completely trusting an entity as slapping on blinders.