Lunduke drinks the kool-aid, declares HTTPs dangerous

Not gonna work. Because, then it would be “should I develop X to work with HTTPS or HTTP*”? There is already so much tooling that would need to be redone that it would take several years. Unless a PaaS sprung up overnight I highly doubt this would be a viable alternative.

Devs will go for the larger more popular one, not to mention that browsers would need to be overhauled to accept the new whatever method.

Instead of creating a new thing, lets just fix the current one we have (if it needs it). Google is already taking steps like this to revoke insecure certs issued by Symantec, and others with weak hashing algo’s.

Its a non-proprietary protocol. What more do you need?

5 Likes

Didn’t we just have that for DRM in webpages?

This already exists, its the HTTPS protocol.

HTTPS is made up of a composite of several parts. HTTPS isn’t actually a different thing that you might think. It uses the same top level layer to communicate with a server. Suggesting that we shouldn’t use HTTPS is suggesting that we shouldn’t use HTTP (maybe we shouldn’t, but that is a different discussion, and not what he brought up)

Its made up loosely of the following. (ignoring lower level components like TCP/IP)

HTTP for the top level layer protocol for communicating with web servers. This is literally just a protocol for how two servers should communicate and what types of requests they support and how to respond.

TLS, the encryption layer that makes the S in HTTPS generally, secures the HTTP link. This hasn’t always been TLS, it used to use SSL which was depreciated in favor of TLS, TLS has also changed over the years. having a number of versions. The current is TLS 1.2 which is being replaced by TLS 1.3.

TLS can make use of several encryption and hashing algorithms to create a secure connection. These are defined by the IETF (not the NSA), and the protocol version and specification for TLS are open and public, always.

The fact that they chose SHA1 has the hashing algorithm of choice doesn’t mean there’s some NSA conspiracy, and this is why he had such backlash.

There are actually concerns and issues he could have brought up, but he never did. Most comments that have defended his position (to some extent, not completely) bring up issues with HTTPS that he never got into.

I tried telling him as much, but he only seems to reply to things that are in his favor from what i could see.

You can see the entire specification here https://tools.ietf.org/html/rfc5246

and the proposed draft for TLS 1.3 which is to replace old broken technology with improved technology (something Brian seemed to think doesn’t happen with https?) https://tools.ietf.org/html/draft-ietf-tls-tls13-23

Does this mean that bryan lunduke hates the EFF because they have HTTPS everywhere? :thinking:

3 Likes

slippery slope is getting slipperier

3 Likes

Not to mention SHA1 being depreciated in favour of SHA256.

I would expect that Brian would know all this stuff.

I guess I should watch his video before commenting, but i get the jist of it from this wall of posts. I don’t have too much else to add, but people can man-in-the-middle your HTTPS connections if they are able to generate certificates on the fly, from a CA your browser or computer already trusts. There are a few hoops to jump through there. Granted, they will not (should not) be from the same Certificate Authority (CA), but unless your browser is pinning them, i.e. making sure they are from the same CA the website uses, then how would you know? Chrome knows that Google’s CA generates certificates for Google related websites, but buggered if I know who is the right CA for any other website.
But who is to say NSA (insert appropriate evil agent here) doesn’t coop Symantec or some other trusted (not for long in this case, although DigiCert is buying up their CA), and intercept traffic at will, hoping people downstream don’t notice?

Still, all that being said, no need to stop using HTTPS. If you are paranoid, find a good VPN or use some other method.

He is taking his personal opinions and convictions way too far. He isn’t far off with his sentiment, but it’s well into clickbait territory.

Use the strongest security possible.
but…
Federal agencies have been dishonest.

Reason is somewhere in the middle. He’s trying too hard to make a point, maybe just for the yt views, maybe not.

I’m preaching to the choir; just wanted to throw my 2c in.

All good. I would expect that sort of click baitey YouTube videos from someone who needs to derive a living off YouTube. I.e. clicks = being able to live. I wasn’t aware he was a rat-taser.

3 Likes

i would consider him way too small for the extra 1-2k views to make a difference. He has probably been listening to himself way too long and probably has manifested in some way

1 Like

Jesus christ, I’m watching this finally, and I’m wishing I hadn’t. He’s wrong. On so many levels, he is so, goddamned wrong.

Also, “We know for a fact that HTTPS is compromised now,”
JumpToConclusions

Edit:
I don’t know if Bruce talks about it in this talk, but it’s an hour long, and it’s just awesome to listen to him. Bruce has poured over the Snowden docs, he is a security researcher, he is a cryptographer, he knows. what. the. fuck. he’s. talking. about. His assessment of the state of public key cryptography in a post-Snowden world? “The math works.”

When it comes to security, I’m a fucking amateur at best, and even I can point out some massive flaws in Lunduke’s video.

4 Likes

That’s the issue isn’t it. Practically no research at all. I have expected less research from him recently, he seemed to put more work in before, but this is probably a low point. It’s almost as if he looked up some stuff and stopped as soon as it was enough to put together the narrative he wanted. If that was the actual goal… who knows, but its a sad video.

Another Schneier article you might find interesting, is about the deterministic random bit generator that brian mentioned.

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

5 Likes

Ah yes, that was another article I had read, and a very good one as well. Now, this is another one of those “as I recall” statements, of which I have made a few recently so I really need to catch up on those. But as I recall, it turned out that not a lot of companies were actually using the Dual_EC_DRBG RNG. Which was part of what makes me flail at Lunduke’s video.

Gods, it’s also not easy to fake certificates. He just makes that damned assertion and doesn’t back it up with anything. GAH!!!

1 Like

OK…What a Load of BS. The fact that i am no expert and i can specifically point out how poorly researched everything on the video is insane. A security expert must be face-palming with 3 hands if he saw this.

Lunduke went full uninformed rambling. It is amazing how much he has fallen from grace in recent months. This video is outright dangerous.

And he is actually making a “tech as religion” video to justify and invalidate the people that criticized him with actual arguments? He actually equates the “trolls” from his linux sucks videos with the people actually telling him that “you have poorly researched the subject” and giving specific points why. This is like the most mean-spirited and corrupt way to fend off criticism. This is crony politician level rhetoric.

This second video is actually more infuriating that the HTTPS one.

This is a sinister argument technique and it is pretty obvious made it for the clicks without thinking of the consequences. I was giving Lunduke the benefit is the doubt because of his past but these two videos go really over the line.

3 Likes

He needs to spend a few weeks and learn how TLS (specifically PFS/DH parts of it) work and why it works that way; as an influential figure I see it as his responsibility to better understand what he’s saying, or just not be a dick and go public with misinformation.


In any case, one of the things that I miss from early days of unencrypted internet are squid proxy caches. (Not the proxying, the caches).

Nowadays there’s CDNs and stuff to replace them, but CDN hosting costs money, and contents are dictated by exclusively by the hosters and not so much by the users.

I wish browsers/http clients implemented some kind of useful cache sharing mechanism, so that any ISP could just bring up a number of boxes on their network with just a bunch of spinning disks and SSDs, and wouldn’t have to contract with Google/Akamai/Facebook/Netflix…
Those caches can then allow ISPs to traffic engineer their backbones more efficiently, e.g. they can keep an index of neighboring caches and make cost based choices on whether to get the contents from a nearby cache, or from source and stream it back to user.

Think about, if you happen to remember, those torrent caches that used to be run by Russian ISPs a while back, but setup for http/https content.

There’s no reason for most people to care about being identified as streaming a particular publicly available 4k video AES encrypted, a hash for each 1M or 8M block going over https should usually work just fine.

I think some caching like that would have the potential to unclog a lot of the internet these days and allow more people to better utilize the growing deployment of FTTH.

And it took about twenty years to move away from it. There’s not really an efficient way to move everyone over en masse. It’s much more efficient to improve the existing standard.

Yeah I think I have seen enough now. This is a flat earth conspiracy video about HTTPS.
From the sultry calm tone of his voice, through the small pieces of truth, to the neglect of any contrary information to finally nail it all home with a burden of proof.

It is Fake News.

5 Likes

Only reason I read this thread was Wendell was on lundukes show recently and I did watch that. Brian just about railed on every opinion Wendell had. My respect for Wendell leveled up watching that show.

Someone (Eden) should shoot him a DM and ask to be on his show and have a livestream conversation about the video. It would be a great video, I would watch it.

3 Likes

Right of reply would be interesting :slight_smile: Brian does love drama. He would be into it.

1 Like

All he said was blindly trusting HTTPS is dangerous.

He used a clickbait title but what do you expect from the Linux sucks guy. He said HTTPS is far from perfect and I agree.

1 Like