Does TOFU actually work?

Jason McBrayer jmcbray at carcosa.net
Mon Nov 30 14:51:01 GMT 2020

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Does TOFU actually work?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Ben Burwell" <gemini at benburwell.com> writes:
> On 2020-11-28 at 09:28 -05:00, Emilis <emilis at emilis.net> wrote:
>> How would TOFU work for someone out of a country that firewalls the 
>> internet and can replace all self-signed certificates for port 1965 on 
>> the fly?

> You're right - it wouldn't protect the privacy of people under that
> scenario (assuming the state actor is sufficiently motivated to do this
> interception/replacement under TOFU constraints).
>
> I'm not sure what a good solution to this is.

One option would be a 'certificate observatory', where various clients
around the world submit the fingerprints they receive for various hosts.
You can then compare the cert you receive with the consensus of the
observatory. This doesn't protect you from MITM, but it makes you aware
of it.

If you need to *actually* access content without a MITM, you'll need to
use TOR or a VPN. That's still true under the CA system; it's just more
obvious because your connections fail verification.

-- 
+-----------------------------------------------------------+
| Jason F. McBrayer                    jmcbray at carcosa.net  |
| A flower falls, even though we love it; and a weed grows, |
| even though we do not love it.            -- Dogen        |

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Does TOFU actually work?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list