#i2p-dev (irc2p) | 2.7.0-1 | 2.8.0 Release Discussion: http://i2pforum.i2p/viewtopic.php?t=1301

#i2p-dev

/2024/03/31

Online: 53

@eyedeekay

&kytv

&zzz

+R4SAS

+RN

+RN_

+dr|z3d

+hk

+orignal

+postman

+wodencafe

Arch

DeltaOreo

FreeRider

FreefallHeavens

Irc2PGuest10850

Irc2PGuest19353

Irc2PGuest23854

Irc2PGuest46029

Irc2PGuest48064

Irc2PGuest77854

Nausicaa

Onn4l7h

Onn4|7h

Over

Sisyphus

Sleepy

Soni

T3s|4__

Teeed

aargh3

acetone_

anon4

b3t4f4c3

bak83_

boonst

cumlord

dr4wd3_

eyedeekay_bnc

hagen_

khb

mittwerk

plap

poriori

profetikla

rapidash

shiver_

solidx66

u5657_1

uop23ip

w8rabbit

weko_

x74a6

eyedeekay I had a potentially hare-brained showerthought about how to do TLS for I2P sites without forking a browser or running an in-I2P CA of our own

eyedeekay It's probably not that much work

eyedeekay github link to an explanation: github.com/eyedeekay/TLS-Somewhere

eyedeekay I'll post an I2P link as soon as I get it mirrored

eyedeekay git.idk.i2p/idk/tls-somewhere

dr|z3d hare-brained, or hair-brained schemes don't inspire much confidence, but I guess we should wait for the payload :)

eyedeekay It's a genuinely crazy idea and I probably won't put that much time into it unless there's a great deal of interest but hypothetically it's not *worse* than anything we've already got

eyedeekay But the premise is very counter-intuitive. Basically what it would do is create a deliberately useless CA that could be used to sign any certificate, and then use a browser extension to reject that CA for all non-I2P sites.

eyedeekay I'm both sure it's crazy and sure it would work

dr|z3d hmm, that sounds pretty dubious.

dr|z3d if the point is just to bypass the self-signed click through, it might work, but of course you're then reliant on a browser extension which isn't great.

dr|z3d but you're defeating 99% of the purpose of the certificate, which is to verify the authenticity of the connection.

eyedeekay Agreed, for clearnet sites, but for hidden sites I'm just moving it back where it already was

dr|z3d where it already was? a global fake cert isn't quite the same as a self-signed cert.

dr|z3d what's the objective? to fix gitlab requirements for https?

eyedeekay Where it already was would be the hidden service's private keys IMO

dr|z3d I don't understand the motive, and I don't agree with the reasoning. If we don't *need* certificates on the network, then we don't need them, because the private dest key provides the same level of security or better.

dr|z3d Which is why I'm asking what the objective is.

eyedeekay the objective isn't just gitlab, I can just tell people how to add the self-signed CA for gitlab, my goal is to provide a solution that works for every self-signed certificate and differentiates between I2P and non-I2P self-signed certs

dr|z3d so in essence all you're proposing to fix is the click through for self-signed certs on the network, the number of which you can probably count on one hand?

dr|z3d if that's the case, I'd suggest that your time is probably better spent elsewhere, like ditching gitlab and migrating to something less monstrous :)

eyedeekay If there were no barrier to entry, then I think the HTTPS would be useful for many kinds of I2P sites, and more importantly, browsers are making more and more things functionally inaccessible without HTTPS,

dr|z3d sure, if we could implement a solution that didn't require browser addons or fake certs, then it might be useful, not least to enable some https only features like http/2 or 3.

dr|z3d otherwise, I don't see much demand for it, given we already have our own encryption layer. there's not much demand for it on Tor, either, though they have the added advantage of being able to install legit certs.

eyedeekay The figure I got at CCC is that something like 30% of the real-world-onion's have real-world-TLS-over-onion now

dr|z3d presumably real-world being corporations running mirrors on Tor?

eyedeekay Yeah

dr|z3d so not really relevant to I2P.. if there are actual corps with a presence on our network, they haven't made any noise to suggest they'd like TLS support.

dr|z3d and if they did want TLS support, you can rest assured they wouldn't be happy with a global fake cert.

eyedeekay Well, unlike the other solutions I'm pretty sure that this one will still work without a browser fork when we do need a solution

eyedeekay So it can sit on a shelf

dr|z3d put it in the STTA tray and let it marinate :)

dr|z3d "something to think about"

eyedeekay My prediction is that there will never be anything *less* complex than a browser extension for modifying the behavior of TLS on I2P sites and even that gets really weird as you can see

eyedeekay With the possible exception of a real CA issuing certs for I2P sites

eyedeekay Everything else requires forking a browser which is always a mess

eyedeekay But until we can't live without it, on the shelf it goes

dr|z3d nothing less than a genuine CA authority issuing certs is going to satisfy any corporate interests on the network. without that, I don't see the point.

dr|z3d if the new i2p.special certs or whatever the tld is could include .i2p domains, I'd be all for offering support in the network.

eyedeekay webtorrent?

eyedeekay Voice chat in the browser?

dr|z3d fake certs don't buy us anything here that we don't already have in my opinion.

eyedeekay So for the 2 examples I just gave, you have to have not 1 TLS certificate but 2, and not only that, but you need to have one of those TLS certificates be accepted non-interactively

eyedeekay webtorrent requires you use wss to communicate with the tracker

eyedeekay Well not webtorrent per se but browsers

eyedeekay And in-browser voice chat requires the use of a server which the peers use to exchange address information

dr|z3d we don't need webtorrent support, we already have a torrent client in the browser that serves the same purpose.

eyedeekay No it doesn't

dr|z3d (more or less :))

eyedeekay The advantage of webtorrent is that you can embed the resource directly into a web page

eyedeekay I can sort of hack something together that does that on top of a browser extension but IMO it's really not the same

dr|z3d as for voice chat, we have an anonymizing network overlay and alternative voice-chat implementations that don't require certs, not that there's much demand for that, either.

eyedeekay Mumble?

RN but what about the recycling of sites? i.e. the re-use of registered names by reg.i2p you don't have that same assurance we used to

dr|z3d sure, why not. if that requires certs, presumably the application handles those? not familiar.

eyedeekay I'm just wondering which voice chat you're referring to, the only one I know of that's been slightly successful so far is Mumble

RN if i2peek-a-boo was gone long enough then someone could grab it in reg, regardless if I hold the private keys

dr|z3d if it's registered on stats, then I think it's left alone, but you'd have to ask R4SAS to be sure.

eyedeekay I'm not sure what you mean RN, this shouldn't overlap with reg's process of using the hidden service's own private keys

eyedeekay to make the auth string

dr|z3d RN is throwing a curveball.

eyedeekay Unfortunately I gotta go AFK for a couple hours, I'll be back in a bit

eyedeekay Ah, found the zzz.i2p thread for the last time it came up: zzz.i2p/topics/3303-webtorrent-on-i2p

eyedeekay I wonder why it became today's showerthought. Probably because it could have been distracting.

dr|z3d you look much nicer on zzzmirror.i2p/topics/3303-webtorrent-on-i2p eyedeekay :)

dr|z3d digitally remastered :)

eyedeekay Harpo was the coolest Marx brother.