Mustafabo
dr|z3d itsjustme AmyMalik RN
Mustafabo
albat_
dr|z3d
sup m
Mustafabo
dr|z3d, I heard you like Dick's
dr|z3d
:)
itsjustme
Hey Mustafabo!
Mustafabo
what's up itsjustme?
itsjustme
Not to much, just chillin. You?
Mustafabo
Watching Ip Man 4
Mustafabo
dr|z3d, did you see the new Ip Man?
Mustafabo
Ip Man: The Awakening
dr|z3d
not sure, Mustafabo. it's on my list of TODOs. :)
Mustafabo
okay
deathead
<dr|z3d> I cant wait to pull down my newphews pants and suck that lil cock omfg
deathead
<dr|z3d> Rape his little ass
itsjustme
Mustafabo: ive not seen that before either
Mustafabo
itsjustme, watch the Ip Man movies
itsjustme
Link?
dr|z3d
?q=ipman
Mustafabo
itsjustme what are you doing?
Mustafabo
hey albat
albat
hey Mustafabo :)
Mustafabo
how are you?
albat
tired
Mustafabo
Oh
itsjustme
Mustafabo: watching the boys
dr|z3d
here's one for you, itsjustme: rollingstone.i2p/culture/culture-news/vabbing-tiktok-vagina-perfume-trend-1386173
dr|z3d
Mustafabo is a perpetual vabber.
RN
itsjustme, what season and episode of the boys are you on?
dr|z3d
new/revived sites, m0rd0r?
m0rd0r
yeah. i am getting back to it
dr|z3d
very good
m0rd0r
o7
dr|z3d
never been a better time to buff up your site.. network's exploding right now :)
m0rd0r
it feels very grassrootsy. i like it
mesh
dr|z3d: why do you say the network's exploding?
dr|z3d
all manner of new content appearing, mesh.
mesh
interesting. Though I the number of routers doesn't seem to be changing much
dr|z3d
content, not routers, cloth ears!
mesh
dr|z3d: btw, I found rucore.net/en/security-and-privacy-how-to-store-service-keys-in-i2p which explains offline keys
dr|z3d
good find!
mesh
it's an interesting idea... though it doesn't really solve the "SSL problem"
mesh
My idea, of signing the actual XHTML documents served to the browser, works quite well. Of course no browser supports it hehe.
dr|z3d
the only SSL problem is in your imagination :)
mesh
dr|z3d: well no, it's a huge problem that is a blocker for me
dr|z3d
you can have SSL, as long as you're happy with a self-signed cert. otherwise you can go whistle :)
mesh
dr|z3d: when I go to skank.i2p to download I2P+ I have no idea that (1) the site is the "real" skank.i2p or that (2) you are the actual owner of the site or that (3) if the destination needs to change because of a ddos any new skank.i2p is authentic
mesh
that's a huge problem which frankly makes i2p useless for secure comms
dr|z3d
it's easy enough to verify that the skank you're visiting is the real skank. besides, if you don't trust skank, just download your updates from gitlab.
dr|z3d
that's bullshit.
mesh
dr|z3d: self-signed certs are of course half the problem
dr|z3d
useless for secure comms my ass.
mesh
dr|z3d: I mean, "easy enough to verify" means nothing to me or my users frankly. I can't give them a b32 address and be like "yeah, just trust me"
dr|z3d
well, you can.
dr|z3d
"this is my address"
dr|z3d
no different to "this is my clearnet https address"
mesh
no because a hostile actor will trick them one day and send them an email saying "hey, actually, this is the new address" and they will go to that address
mesh
dr|z3d: the clearnet https has a real cert so they can always trust that
mesh
the problem is with downloading stuff from i2p addresses
dr|z3d
a hostile actor could pwn your clearnet address and spike it with malware. no different. *sigh*
dr|z3d
bullshit
mesh
dr|z3d: well it's pretty different. in one case the user knows they're talking to my site, in the other they have no idea
dr|z3d
just because your clearnet address has an ssl cert doesn't mean it's not controlled by bad actors.
dr|z3d
this whole i2p isn't secure because ssl is just tedious crap. sorry.
mesh
I mean the lack of ssl very basically means that you never have any idea who you're talking to over i2p. I could trivially create a copy of skank.i2p, post it on a forum, and get tons of people to download compromised versions of i2p+ right now. They might ask about skank.i2p and I would just tell them both sites belong to me
mesh
there's absolutely no way to determine that skank.i2p and evilskank.i2p are owned by the same people or owned by different people
mesh
dr|z3d: I mean at least for me it's a blocker.
mesh
the solution I think is to sign everything. addressbook entries and individual xhtml pages
mesh
maybe it doesn't bother others, but when I go to skank.i2p I would like to see the addressbook entry, the self-signed cert, and the binaries all signed by the same key
mesh
that at least would tell me that skank.i2p is resolving to a site controlled by the same person I trusted when I added them to my address book
mesh
I've come to see the idea of an address book as a good thing. but the way i2p implements is not secure. it really should be an encrypted, secure database that acts like a local certificate authority
mesh
the solution to the ssl problem then is just to kind of replace the i2p address book with a secure local CA. When users browser to a i2p site in the address book verify that the self-signed cert presented by the site really is the same as the one in the address book
dr|z3d
you browse to a hostname.i2p, it's your addressbook that gets referenced. so register your hostname.
mesh
dr|z3d: yeah, that's true. the only problem is that the address book is just a very simple mapping of $domainName=base64.
dr|z3d
and people on this network aren't as stupid as you're suggesting. why would they visit your clone of skank.i2p when skank.i2p works fine?
mesh
dr|z3d: and I can tell any idiot user to add/update their address book with "skank.i2p=$EvilAddress"
dr|z3d
you could, and they'd laugh in your face.
dr|z3d
"skank.i2p" works fine for me, go away. etc.
mesh
dr|z3d: but nobody knows that my clone of skank.i2p is the clone
dr|z3d
except they do. because it doesn't resolve to skank.i2p
mesh
I would tell users that skank.i2p is an evil clone of my site, the real I2P+ host, that was created b the deep state
dr|z3d
this is what I mean. your scenarios are ridiculous.
mesh
nobody could verify either scenario because every skank.i2p is equally "real"
mesh
dr|z3d: I mean I don't think so... this is the reason SSL exists, after all. It's not some minor edge case
mesh
maybe I'm not making it clear, but for me, I need to be able to give a user a signed document saying "go to mesh.i2p to download the binaries", and when they go to mesh.2ip they need to be able to verify that it is the real mesh.i2p
RN
dr|z3d, consider a total newb and erosion of credibility... I mean the Americlowns elected trump. I think you give people in general too much credit because if something is simple and clear to you then you presume it is simple and clear for all...
RN
just sayin'
RN
there is some merrit to what mesh is suggesting. not to the point of redesigning the wholed I2P per se, but worth consideration.
dr|z3d
mesh is making a big deal out of absolutely nothing. the same people that are going to be duped into visiting a hostile clone site are the same people that will be phished.
RN
I agree with that. Why not be proactive about it and give the people more tools to verify things
mesh
dr|z3d: the problem is not just the stupid people btw. smart people wouldn't trust the existing system either
RN
keep in mind mesh, I'm not saying I2P is broken. I think we need a demo case of how to run a "verifiable eepsite" or whatever it ends up being called.
mesh
RN: I mean the basic idea is that "SSL doesn't work with I2P because there's no Certificate Authorities". And the very simple solution is "Every user becomes their own CA"
RN
it will take a few interacting parts that are not there... added on top of I2P functionality. maybe a plugin to interact with the verifiable parts
mesh
the real benefit of my system is that you only have to do it once, for one site. I give a digitally signed advertisement to a user saying "the address of mesh.i2p is $Address and it's owned by me, mesh"
mesh
the user adds the advertisement to their address book
mesh
and now when the user visits **any site** that can produce a self-signed cert that's the same as mesh.i2p ***they automatically know that I also control that site***
mesh
this solves third party deployment and the case where I have to change my address because of a ddos very cleanly. Once the user trusts one site by me, they trust all sites
RN
so make a plugin to handle that. storing the 'advertisements' and doing the checking and to alert the user if something failed on this "verification compatible eepsite" so theyknow, while leaving regular eepsites be with maybe an optional click through
mesh
but that's why self-signed certs are only half the problem. you need the initial, explicit trust step
RN
but until wide adoption, it would just be a nusicence to users... IMHO
RN
I get that.
RN
show us some code.
mesh
RN: heh, I'm working on it. Right now my plan is really to replace I2P Tunnel
RN
also, how does a user know that the 'advertisement' did not come from mesh, but m3sh and is actually evilskank instead...
mesh
RN: yeah advertisement distribution is the weak link in any p2p scheme. A hostile actor might beat me to the punch and give the user an evil advertisement that says "the address of mesh.i2p is $Evil and I'm the owner." I think advertisement distribution either needs to happen offline or perhaps even use clearnet ssl
RN
I dunno if complete replacement is neccesary, like I said a plugin to add needed features on top of what is there is a lot less code to trust
RN
gotta afk a bit...
mesh
RN: a plugin approach would be nice. in theory it's just an additional check that says "hey the self-signed cert on this site matches the one in your secure address book"
RN
right. also the part to add something to the secure addressbook, and handle all the other adressbookness stuff
mesh
RN: yeah, it will handle that too. I actually think it would be cool if irc could bootstrap this whole process. Then I could /dcc send you an advertisement
mesh
doess dcc send work here? in theory it should right
RN
not sure I trust dcc
RN
yes it can be enabled
RN
but it has a history of issues. don't know if all that has been cleaned up.
mesh
RN: yeah I'm sure. at least in this case an advertisement is a very small, digitally signed XML file. no binary component. basically plain text. so people might be okay with dcc'ing of small text files
RN
you can enable dcc in the irc tunnel type, but I don't know if you have to configure extra stuff in the client. prety sure you do, and there are so many clients out there
RN
going afk... would like to chat about this more next time we are on at the same time
mesh
yup you can enable dcc in the tunnel type. good to know
mesh
RN: yeah, nice talking to ya. see ya later
RN
likewise
Mustafabo
shut up dr|z3d
AmyMalik
cancel the internet
AmyMalik
*** flames Mustafabo ***
AmyMalik
how's it going?
AmyMalik
\/= 93
wellicht
long live long vacations
AmyMalik
my arm hurps
Mustafabo
dr|z3d
dr|z3d
Mustafavabbo!
Mustafabo
what?
dr|z3d
admit it, you're a secret vabber
Mustafabo
lol
dr|z3d
is it just behind the ears or do you do your wrists as well?
Mustafabo
fuck you dr|z3d
Mustafabo
FUCK UUUUUU
albat
YEAH FUCK MEEEEEE!
albat
:p
itsjustme
RN: season 2
Mustafabo
itsjustme, I heard you like Dick's
itsjustme
I do. Do you?
Mustafabo
sure, it's big and it's chewy... It's saucy and it's gooey... What's in my mouth? It's gotta be Dick's
itsjustme
:D
T3s|4
the only question I'm interested in is whether 'vabbers' face a statistically significant increased chance of becoming impregnated by 'birthing people' vs average 'males' ;p
dr|z3d
ask Mustafabo, he's the authority.
dr|z3d
What he isn't telling you is that he's refined the procedure.
dr|z3d
Mustafabo is an anal vabber.
T3s|4
lols dr|z3d :)
dr|z3d
sorry, couldn't resist. just the thought.. *chuckles hard*
AmyMalik
I don't think people who wear their genital secretions as perfume are more likely to attract mates of the gender opposite theirs, T3s|4.