Does TOFU actually work?

John Cowan cowan at ccil.org
Mon Nov 30 15:19:47 GMT 2020

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Does TOFU actually work?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 30, 2020 at 9:51 AM Jason McBrayer <jmcbray at carcosa.net> wrote:

> "Ben Burwell" <gemini at benburwell.com> writes:
> > On 2020-11-28 at 09:28 -05:00, Emilis <emilis at emilis.net> wrote:
> >> How would TOFU work for someone out of a country that firewalls the
> >> internet and can replace all self-signed certificates for port 1965 on
> >> the fly?
>

A more practical version of this scenario is a MITMing corporate firewall.
In general, there is no right of privacy for what you do using your
employer's equipment, at least in the U.S.

> One option would be a 'certificate observatory', where various clients
> around the world submit the fingerprints they receive for various hosts.
> You can then compare the cert you receive with the consensus of the
> observatory. This doesn't protect you from MITM, but it makes you aware
> of it.
>

Unless, of course, the MITMer is aware of the observatory and alters what
you receive from it.

In general, if someone controls *all* your connections to the outside
world, they can make you believe whatever they want, and crypto doesn't
help in the slightest.  The reason the Great Firewall of China doesn't
block or MITM outbound VPN connections is that China doesn't want it to:
VPN connections are very expensive in China, so they are generally used
only by foreigners there on business, which China has no desire to alienate
and who are unlikely to have Chinese political motives.

John Cowan          http://vrici.lojban.org/~cowan        cowan at ccil.org
Mos Eisley spaceport.  You will never see a more wretched hive of scum
and villainy --unless you watch the Jerry Springer Show.
        --georgettesworld.com

> If you need to *actually* access content without a MITM, you'll need to
> use TOR or a VPN. That's still true under the CA system; it's just more
> obvious because your connections fail verification.
>
> --
> +-----------------------------------------------------------+
> | Jason F. McBrayer                    jmcbray at carcosa.net  |
> | A flower falls, even though we love it; and a weed grows, |
> | even though we do not love it.            -- Dogen        |
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201130/59d3856d/attachment-0001.htm>

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Does TOFU actually work?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list