#saltr (irc2p) | I2P+ 2.5.0-11+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

Mustafabo dr|z3d itsjustme AmyMalik RN

Mustafabo albat_

dr|z3d sup m

Mustafabo dr|z3d, I heard you like Dick's

dr|z3d :)

itsjustme Hey Mustafabo!

Mustafabo what's up itsjustme?

itsjustme Not to much, just chillin. You?

Mustafabo Watching Ip Man 4

Mustafabo dr|z3d, did you see the new Ip Man?

Mustafabo Ip Man: The Awakening

dr|z3d not sure, Mustafabo. it's on my list of TODOs. :)

Mustafabo okay

deathead <dr|z3d> I cant wait to pull down my newphews pants and suck that lil cock omfg

deathead <dr|z3d> Rape his little ass

itsjustme Mustafabo: ive not seen that before either

Mustafabo itsjustme, watch the Ip Man movies

itsjustme Link?

dr|z3d ?q=ipman

Mustafabo itsjustme what are you doing?

Mustafabo hey albat

albat hey Mustafabo :)

Mustafabo how are you?

albat tired

Mustafabo Oh

itsjustme Mustafabo: watching the boys

dr|z3d here's one for you, itsjustme: rollingstone.i2p/culture/culture-news/vabbing-tiktok-vagina-perfume-trend-1386173

dr|z3d Mustafabo is a perpetual vabber.

RN itsjustme, what season and episode of the boys are you on?

dr|z3d new/revived sites, m0rd0r?

m0rd0r yeah. i am getting back to it

dr|z3d very good

m0rd0r o7

dr|z3d never been a better time to buff up your site.. network's exploding right now :)

m0rd0r it feels very grassrootsy. i like it

mesh dr|z3d: why do you say the network's exploding?

dr|z3d all manner of new content appearing, mesh.

mesh interesting. Though I the number of routers doesn't seem to be changing much

dr|z3d content, not routers, cloth ears!

mesh dr|z3d: btw, I found rucore.net/en/security-and-privacy-how-to-store-service-keys-in-i2p which explains offline keys

dr|z3d good find!

mesh it's an interesting idea... though it doesn't really solve the "SSL problem"

mesh My idea, of signing the actual XHTML documents served to the browser, works quite well. Of course no browser supports it hehe.

dr|z3d the only SSL problem is in your imagination :)

mesh dr|z3d: well no, it's a huge problem that is a blocker for me

dr|z3d you can have SSL, as long as you're happy with a self-signed cert. otherwise you can go whistle :)

mesh dr|z3d: when I go to skank.i2p to download I2P+ I have no idea that (1) the site is the "real" skank.i2p or that (2) you are the actual owner of the site or that (3) if the destination needs to change because of a ddos any new skank.i2p is authentic

mesh that's a huge problem which frankly makes i2p useless for secure comms

dr|z3d it's easy enough to verify that the skank you're visiting is the real skank. besides, if you don't trust skank, just download your updates from gitlab.

dr|z3d that's bullshit.

mesh dr|z3d: self-signed certs are of course half the problem

dr|z3d useless for secure comms my ass.

mesh dr|z3d: I mean, "easy enough to verify" means nothing to me or my users frankly. I can't give them a b32 address and be like "yeah, just trust me"

dr|z3d well, you can.

dr|z3d "this is my address"

dr|z3d no different to "this is my clearnet https address"

mesh no because a hostile actor will trick them one day and send them an email saying "hey, actually, this is the new address" and they will go to that address

mesh dr|z3d: the clearnet https has a real cert so they can always trust that

mesh the problem is with downloading stuff from i2p addresses

dr|z3d a hostile actor could pwn your clearnet address and spike it with malware. no different. *sigh*

dr|z3d bullshit

mesh dr|z3d: well it's pretty different. in one case the user knows they're talking to my site, in the other they have no idea

dr|z3d just because your clearnet address has an ssl cert doesn't mean it's not controlled by bad actors.

dr|z3d this whole i2p isn't secure because ssl is just tedious crap. sorry.

mesh I mean the lack of ssl very basically means that you never have any idea who you're talking to over i2p. I could trivially create a copy of skank.i2p, post it on a forum, and get tons of people to download compromised versions of i2p+ right now. They might ask about skank.i2p and I would just tell them both sites belong to me

mesh there's absolutely no way to determine that skank.i2p and evilskank.i2p are owned by the same people or owned by different people

mesh dr|z3d: I mean at least for me it's a blocker.

mesh the solution I think is to sign everything. addressbook entries and individual xhtml pages

mesh maybe it doesn't bother others, but when I go to skank.i2p I would like to see the addressbook entry, the self-signed cert, and the binaries all signed by the same key

mesh that at least would tell me that skank.i2p is resolving to a site controlled by the same person I trusted when I added them to my address book

mesh I've come to see the idea of an address book as a good thing. but the way i2p implements is not secure. it really should be an encrypted, secure database that acts like a local certificate authority

mesh the solution to the ssl problem then is just to kind of replace the i2p address book with a secure local CA. When users browser to a i2p site in the address book verify that the self-signed cert presented by the site really is the same as the one in the address book

dr|z3d you browse to a hostname.i2p, it's your addressbook that gets referenced. so register your hostname.

mesh dr|z3d: yeah, that's true. the only problem is that the address book is just a very simple mapping of $domainName=base64.

dr|z3d and people on this network aren't as stupid as you're suggesting. why would they visit your clone of skank.i2p when skank.i2p works fine?

mesh dr|z3d: and I can tell any idiot user to add/update their address book with "skank.i2p=$EvilAddress"

dr|z3d you could, and they'd laugh in your face.

dr|z3d "skank.i2p" works fine for me, go away. etc.

mesh dr|z3d: but nobody knows that my clone of skank.i2p is the clone

dr|z3d except they do. because it doesn't resolve to skank.i2p

mesh I would tell users that skank.i2p is an evil clone of my site, the real I2P+ host, that was created b the deep state

dr|z3d this is what I mean. your scenarios are ridiculous.

mesh nobody could verify either scenario because every skank.i2p is equally "real"

mesh dr|z3d: I mean I don't think so... this is the reason SSL exists, after all. It's not some minor edge case

mesh maybe I'm not making it clear, but for me, I need to be able to give a user a signed document saying "go to mesh.i2p to download the binaries", and when they go to mesh.2ip they need to be able to verify that it is the real mesh.i2p

RN dr|z3d, consider a total newb and erosion of credibility... I mean the Americlowns elected trump. I think you give people in general too much credit because if something is simple and clear to you then you presume it is simple and clear for all...

RN just sayin'

RN there is some merrit to what mesh is suggesting. not to the point of redesigning the wholed I2P per se, but worth consideration.

dr|z3d mesh is making a big deal out of absolutely nothing. the same people that are going to be duped into visiting a hostile clone site are the same people that will be phished.

RN I agree with that. Why not be proactive about it and give the people more tools to verify things

mesh dr|z3d: the problem is not just the stupid people btw. smart people wouldn't trust the existing system either

RN keep in mind mesh, I'm not saying I2P is broken. I think we need a demo case of how to run a "verifiable eepsite" or whatever it ends up being called.

mesh RN: I mean the basic idea is that "SSL doesn't work with I2P because there's no Certificate Authorities". And the very simple solution is "Every user becomes their own CA"

RN it will take a few interacting parts that are not there... added on top of I2P functionality. maybe a plugin to interact with the verifiable parts

mesh the real benefit of my system is that you only have to do it once, for one site. I give a digitally signed advertisement to a user saying "the address of mesh.i2p is $Address and it's owned by me, mesh"

mesh the user adds the advertisement to their address book

mesh and now when the user visits **any site** that can produce a self-signed cert that's the same as mesh.i2p ***they automatically know that I also control that site***

mesh this solves third party deployment and the case where I have to change my address because of a ddos very cleanly. Once the user trusts one site by me, they trust all sites

RN so make a plugin to handle that. storing the 'advertisements' and doing the checking and to alert the user if something failed on this "verification compatible eepsite" so theyknow, while leaving regular eepsites be with maybe an optional click through

mesh but that's why self-signed certs are only half the problem. you need the initial, explicit trust step

RN but until wide adoption, it would just be a nusicence to users... IMHO

RN I get that.

RN show us some code.

mesh RN: heh, I'm working on it. Right now my plan is really to replace I2P Tunnel

RN also, how does a user know that the 'advertisement' did not come from mesh, but m3sh and is actually evilskank instead...

mesh RN: yeah advertisement distribution is the weak link in any p2p scheme. A hostile actor might beat me to the punch and give the user an evil advertisement that says "the address of mesh.i2p is $Evil and I'm the owner." I think advertisement distribution either needs to happen offline or perhaps even use clearnet ssl

RN I dunno if complete replacement is neccesary, like I said a plugin to add needed features on top of what is there is a lot less code to trust

RN gotta afk a bit...

mesh RN: a plugin approach would be nice. in theory it's just an additional check that says "hey the self-signed cert on this site matches the one in your secure address book"

RN right. also the part to add something to the secure addressbook, and handle all the other adressbookness stuff

mesh RN: yeah, it will handle that too. I actually think it would be cool if irc could bootstrap this whole process. Then I could /dcc send you an advertisement

mesh doess dcc send work here? in theory it should right

RN not sure I trust dcc

RN yes it can be enabled

RN but it has a history of issues. don't know if all that has been cleaned up.

mesh RN: yeah I'm sure. at least in this case an advertisement is a very small, digitally signed XML file. no binary component. basically plain text. so people might be okay with dcc'ing of small text files

RN you can enable dcc in the irc tunnel type, but I don't know if you have to configure extra stuff in the client. prety sure you do, and there are so many clients out there

RN going afk... would like to chat about this more next time we are on at the same time

mesh yup you can enable dcc in the tunnel type. good to know

mesh RN: yeah, nice talking to ya. see ya later

RN likewise

Mustafabo shut up dr|z3d

AmyMalik cancel the internet

AmyMalik *** flames Mustafabo ***

AmyMalik how's it going?

AmyMalik \/= 93

wellicht long live long vacations

AmyMalik my arm hurps

Mustafabo dr|z3d

dr|z3d Mustafavabbo!

Mustafabo what?

dr|z3d admit it, you're a secret vabber

Mustafabo lol

dr|z3d is it just behind the ears or do you do your wrists as well?

Mustafabo fuck you dr|z3d

Mustafabo FUCK UUUUUU

albat YEAH FUCK MEEEEEE!

albat :p

itsjustme RN: season 2

Mustafabo itsjustme, I heard you like Dick's

itsjustme I do. Do you?

Mustafabo sure, it's big and it's chewy... It's saucy and it's gooey... What's in my mouth? It's gotta be Dick's

itsjustme :D

T3s|4 the only question I'm interested in is whether 'vabbers' face a statistically significant increased chance of becoming impregnated by 'birthing people' vs average 'males' ;p

dr|z3d ask Mustafabo, he's the authority.

dr|z3d What he isn't telling you is that he's refined the procedure.

dr|z3d Mustafabo is an anal vabber.

T3s|4 lols dr|z3d :)

dr|z3d sorry, couldn't resist. just the thought.. *chuckles hard*

AmyMalik I don't think people who wear their genital secretions as perfume are more likely to attract mates of the gender opposite theirs, T3s|4.