IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2022/07/28
Mustafabo dr|z3d itsjustme AmyMalik RN
dr|z3d sup m
Mustafabo dr|z3d, I heard you like Dick's
itsjustme Hey Mustafabo!
Mustafabo what's up itsjustme?
itsjustme Not to much, just chillin. You?
Mustafabo Watching Ip Man 4
Mustafabo dr|z3d, did you see the new Ip Man?
Mustafabo Ip Man: The Awakening
dr|z3d not sure, Mustafabo. it's on my list of TODOs. :)
deathead <dr|z3d> I cant wait to pull down my newphews pants and suck that lil cock omfg
deathead <dr|z3d> Rape his little ass
itsjustme Mustafabo: ive not seen that before either
Mustafabo itsjustme, watch the Ip Man movies
dr|z3d ?q=ipman
Mustafabo itsjustme what are you doing?
Mustafabo hey albat
albat hey Mustafabo :)
Mustafabo how are you?
albat tired
itsjustme Mustafabo: watching the boys
dr|z3d Mustafabo is a perpetual vabber.
RN itsjustme, what season and episode of the boys are you on?
dr|z3d new/revived sites, m0rd0r?
m0rd0r yeah. i am getting back to it
dr|z3d very good
dr|z3d never been a better time to buff up your site.. network's exploding right now :)
m0rd0r it feels very grassrootsy. i like it
mesh dr|z3d: why do you say the network's exploding?
dr|z3d all manner of new content appearing, mesh.
mesh interesting. Though I the number of routers doesn't seem to be changing much
dr|z3d content, not routers, cloth ears!
dr|z3d good find!
mesh it's an interesting idea... though it doesn't really solve the "SSL problem"
mesh My idea, of signing the actual XHTML documents served to the browser, works quite well. Of course no browser supports it hehe.
dr|z3d the only SSL problem is in your imagination :)
mesh dr|z3d: well no, it's a huge problem that is a blocker for me
dr|z3d you can have SSL, as long as you're happy with a self-signed cert. otherwise you can go whistle :)
mesh dr|z3d: when I go to skank.i2p to download I2P+ I have no idea that (1) the site is the "real" skank.i2p or that (2) you are the actual owner of the site or that (3) if the destination needs to change because of a ddos any new skank.i2p is authentic
mesh that's a huge problem which frankly makes i2p useless for secure comms
dr|z3d it's easy enough to verify that the skank you're visiting is the real skank. besides, if you don't trust skank, just download your updates from gitlab.
dr|z3d that's bullshit.
mesh dr|z3d: self-signed certs are of course half the problem
dr|z3d useless for secure comms my ass.
mesh dr|z3d: I mean, "easy enough to verify" means nothing to me or my users frankly. I can't give them a b32 address and be like "yeah, just trust me"
dr|z3d well, you can.
dr|z3d "this is my address"
dr|z3d no different to "this is my clearnet https address"
mesh no because a hostile actor will trick them one day and send them an email saying "hey, actually, this is the new address" and they will go to that address
mesh dr|z3d: the clearnet https has a real cert so they can always trust that
mesh the problem is with downloading stuff from i2p addresses
dr|z3d a hostile actor could pwn your clearnet address and spike it with malware. no different. *sigh*
dr|z3d bullshit
mesh dr|z3d: well it's pretty different. in one case the user knows they're talking to my site, in the other they have no idea
dr|z3d just because your clearnet address has an ssl cert doesn't mean it's not controlled by bad actors.
dr|z3d this whole i2p isn't secure because ssl is just tedious crap. sorry.
mesh I mean the lack of ssl very basically means that you never have any idea who you're talking to over i2p. I could trivially create a copy of skank.i2p, post it on a forum, and get tons of people to download compromised versions of i2p+ right now. They might ask about skank.i2p and I would just tell them both sites belong to me
mesh there's absolutely no way to determine that skank.i2p and evilskank.i2p are owned by the same people or owned by different people
mesh dr|z3d: I mean at least for me it's a blocker.
mesh the solution I think is to sign everything. addressbook entries and individual xhtml pages
mesh maybe it doesn't bother others, but when I go to skank.i2p I would like to see the addressbook entry, the self-signed cert, and the binaries all signed by the same key
mesh that at least would tell me that skank.i2p is resolving to a site controlled by the same person I trusted when I added them to my address book
mesh I've come to see the idea of an address book as a good thing. but the way i2p implements is not secure. it really should be an encrypted, secure database that acts like a local certificate authority
mesh the solution to the ssl problem then is just to kind of replace the i2p address book with a secure local CA. When users browser to a i2p site in the address book verify that the self-signed cert presented by the site really is the same as the one in the address book
dr|z3d you browse to a hostname.i2p, it's your addressbook that gets referenced. so register your hostname.
mesh dr|z3d: yeah, that's true. the only problem is that the address book is just a very simple mapping of $domainName=base64.
dr|z3d and people on this network aren't as stupid as you're suggesting. why would they visit your clone of skank.i2p when skank.i2p works fine?
mesh dr|z3d: and I can tell any idiot user to add/update their address book with "skank.i2p=$EvilAddress"
dr|z3d you could, and they'd laugh in your face.
dr|z3d "skank.i2p" works fine for me, go away. etc.
mesh dr|z3d: but nobody knows that my clone of skank.i2p is the clone
dr|z3d except they do. because it doesn't resolve to skank.i2p
mesh I would tell users that skank.i2p is an evil clone of my site, the real I2P+ host, that was created b the deep state
dr|z3d this is what I mean. your scenarios are ridiculous.
mesh nobody could verify either scenario because every skank.i2p is equally "real"
mesh dr|z3d: I mean I don't think so... this is the reason SSL exists, after all. It's not some minor edge case
mesh maybe I'm not making it clear, but for me, I need to be able to give a user a signed document saying "go to mesh.i2p to download the binaries", and when they go to mesh.2ip they need to be able to verify that it is the real mesh.i2p
RN dr|z3d, consider a total newb and erosion of credibility... I mean the Americlowns elected trump. I think you give people in general too much credit because if something is simple and clear to you then you presume it is simple and clear for all...
RN just sayin'
RN there is some merrit to what mesh is suggesting. not to the point of redesigning the wholed I2P per se, but worth consideration.
dr|z3d mesh is making a big deal out of absolutely nothing. the same people that are going to be duped into visiting a hostile clone site are the same people that will be phished.
RN I agree with that. Why not be proactive about it and give the people more tools to verify things
mesh dr|z3d: the problem is not just the stupid people btw. smart people wouldn't trust the existing system either
RN keep in mind mesh, I'm not saying I2P is broken. I think we need a demo case of how to run a "verifiable eepsite" or whatever it ends up being called.
mesh RN: I mean the basic idea is that "SSL doesn't work with I2P because there's no Certificate Authorities". And the very simple solution is "Every user becomes their own CA"
RN it will take a few interacting parts that are not there... added on top of I2P functionality. maybe a plugin to interact with the verifiable parts
mesh the real benefit of my system is that you only have to do it once, for one site. I give a digitally signed advertisement to a user saying "the address of mesh.i2p is $Address and it's owned by me, mesh"
mesh the user adds the advertisement to their address book
mesh and now when the user visits **any site** that can produce a self-signed cert that's the same as mesh.i2p ***they automatically know that I also control that site***
mesh this solves third party deployment and the case where I have to change my address because of a ddos very cleanly. Once the user trusts one site by me, they trust all sites
RN so make a plugin to handle that. storing the 'advertisements' and doing the checking and to alert the user if something failed on this "verification compatible eepsite" so theyknow, while leaving regular eepsites be with maybe an optional click through
mesh but that's why self-signed certs are only half the problem. you need the initial, explicit trust step
RN but until wide adoption, it would just be a nusicence to users... IMHO
RN I get that.
RN show us some code.
mesh RN: heh, I'm working on it. Right now my plan is really to replace I2P Tunnel
RN also, how does a user know that the 'advertisement' did not come from mesh, but m3sh and is actually evilskank instead...
mesh RN: yeah advertisement distribution is the weak link in any p2p scheme. A hostile actor might beat me to the punch and give the user an evil advertisement that says "the address of mesh.i2p is $Evil and I'm the owner." I think advertisement distribution either needs to happen offline or perhaps even use clearnet ssl
RN I dunno if complete replacement is neccesary, like I said a plugin to add needed features on top of what is there is a lot less code to trust
RN gotta afk a bit...
mesh RN: a plugin approach would be nice. in theory it's just an additional check that says "hey the self-signed cert on this site matches the one in your secure address book"
RN right. also the part to add something to the secure addressbook, and handle all the other adressbookness stuff
mesh RN: yeah, it will handle that too. I actually think it would be cool if irc could bootstrap this whole process. Then I could /dcc send you an advertisement
mesh doess dcc send work here? in theory it should right
RN not sure I trust dcc
RN yes it can be enabled
RN but it has a history of issues. don't know if all that has been cleaned up.
mesh RN: yeah I'm sure. at least in this case an advertisement is a very small, digitally signed XML file. no binary component. basically plain text. so people might be okay with dcc'ing of small text files
RN you can enable dcc in the irc tunnel type, but I don't know if you have to configure extra stuff in the client. prety sure you do, and there are so many clients out there
RN going afk... would like to chat about this more next time we are on at the same time
mesh yup you can enable dcc in the tunnel type. good to know
mesh RN: yeah, nice talking to ya. see ya later
RN likewise
Mustafabo shut up dr|z3d
AmyMalik cancel the internet
AmyMalik *** flames Mustafabo ***
AmyMalik how's it going?
AmyMalik \/= 93
wellicht long live long vacations
AmyMalik my arm hurps
dr|z3d Mustafavabbo!
dr|z3d admit it, you're a secret vabber
dr|z3d is it just behind the ears or do you do your wrists as well?
Mustafabo fuck you dr|z3d
Mustafabo FUCK UUUUUU
albat YEAH FUCK MEEEEEE!
itsjustme RN: season 2
Mustafabo itsjustme, I heard you like Dick's
itsjustme I do. Do you?
Mustafabo sure, it's big and it's chewy... It's saucy and it's gooey... What's in my mouth? It's gotta be Dick's
T3s|4 the only question I'm interested in is whether 'vabbers' face a statistically significant increased chance of becoming impregnated by 'birthing people' vs average 'males' ;p
dr|z3d ask Mustafabo, he's the authority.
dr|z3d What he isn't telling you is that he's refined the procedure.
dr|z3d Mustafabo is an anal vabber.
T3s|4 lols dr|z3d :)
dr|z3d sorry, couldn't resist. just the thought.. *chuckles hard*
AmyMalik I don't think people who wear their genital secretions as perfume are more likely to attract mates of the gender opposite theirs, T3s|4.