IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2024/03/31
eyedeekay I had a potentially hare-brained showerthought about how to do TLS for I2P sites without forking a browser or running an in-I2P CA of our own
eyedeekay It's probably not that much work
eyedeekay github link to an explanation: github.com/eyedeekay/TLS-Somewhere
eyedeekay I'll post an I2P link as soon as I get it mirrored
dr|z3d hare-brained, or hair-brained schemes don't inspire much confidence, but I guess we should wait for the payload :)
eyedeekay It's a genuinely crazy idea and I probably won't put that much time into it unless there's a great deal of interest but hypothetically it's not *worse* than anything we've already got
eyedeekay But the premise is very counter-intuitive. Basically what it would do is create a deliberately useless CA that could be used to sign any certificate, and then use a browser extension to reject that CA for all non-I2P sites.
eyedeekay I'm both sure it's crazy and sure it would work
dr|z3d hmm, that sounds pretty dubious.
dr|z3d if the point is just to bypass the self-signed click through, it might work, but of course you're then reliant on a browser extension which isn't great.
dr|z3d but you're defeating 99% of the purpose of the certificate, which is to verify the authenticity of the connection.
eyedeekay Agreed, for clearnet sites, but for hidden sites I'm just moving it back where it already was
dr|z3d where it already was? a global fake cert isn't quite the same as a self-signed cert.
dr|z3d what's the objective? to fix gitlab requirements for https?
eyedeekay Where it already was would be the hidden service's private keys IMO
dr|z3d I don't understand the motive, and I don't agree with the reasoning. If we don't *need* certificates on the network, then we don't need them, because the private dest key provides the same level of security or better.
dr|z3d Which is why I'm asking what the objective is.
eyedeekay the objective isn't just gitlab, I can just tell people how to add the self-signed CA for gitlab, my goal is to provide a solution that works for every self-signed certificate and differentiates between I2P and non-I2P self-signed certs
dr|z3d so in essence all you're proposing to fix is the click through for self-signed certs on the network, the number of which you can probably count on one hand?
dr|z3d if that's the case, I'd suggest that your time is probably better spent elsewhere, like ditching gitlab and migrating to something less monstrous :)
eyedeekay If there were no barrier to entry, then I think the HTTPS would be useful for many kinds of I2P sites, and more importantly, browsers are making more and more things functionally inaccessible without HTTPS,
dr|z3d sure, if we could implement a solution that didn't require browser addons or fake certs, then it might be useful, not least to enable some https only features like http/2 or 3.
dr|z3d otherwise, I don't see much demand for it, given we already have our own encryption layer. there's not much demand for it on Tor, either, though they have the added advantage of being able to install legit certs.
eyedeekay The figure I got at CCC is that something like 30% of the real-world-onion's have real-world-TLS-over-onion now
dr|z3d presumably real-world being corporations running mirrors on Tor?
dr|z3d so not really relevant to I2P.. if there are actual corps with a presence on our network, they haven't made any noise to suggest they'd like TLS support.
dr|z3d and if they did want TLS support, you can rest assured they wouldn't be happy with a global fake cert.
eyedeekay Well, unlike the other solutions I'm pretty sure that this one will still work without a browser fork when we do need a solution
eyedeekay So it can sit on a shelf
dr|z3d put it in the STTA tray and let it marinate :)
dr|z3d "something to think about"
eyedeekay My prediction is that there will never be anything *less* complex than a browser extension for modifying the behavior of TLS on I2P sites and even that gets really weird as you can see
eyedeekay With the possible exception of a real CA issuing certs for I2P sites
eyedeekay Everything else requires forking a browser which is always a mess
eyedeekay But until we can't live without it, on the shelf it goes
dr|z3d nothing less than a genuine CA authority issuing certs is going to satisfy any corporate interests on the network. without that, I don't see the point.
dr|z3d if the new i2p.special certs or whatever the tld is could include .i2p domains, I'd be all for offering support in the network.
eyedeekay webtorrent?
eyedeekay Voice chat in the browser?
dr|z3d fake certs don't buy us anything here that we don't already have in my opinion.
eyedeekay So for the 2 examples I just gave, you have to have not 1 TLS certificate but 2, and not only that, but you need to have one of those TLS certificates be accepted non-interactively
eyedeekay webtorrent requires you use wss to communicate with the tracker
eyedeekay Well not webtorrent per se but browsers
eyedeekay And in-browser voice chat requires the use of a server which the peers use to exchange address information
dr|z3d we don't need webtorrent support, we already have a torrent client in the browser that serves the same purpose.
eyedeekay No it doesn't
dr|z3d (more or less :))
eyedeekay The advantage of webtorrent is that you can embed the resource directly into a web page
eyedeekay I can sort of hack something together that does that on top of a browser extension but IMO it's really not the same
dr|z3d as for voice chat, we have an anonymizing network overlay and alternative voice-chat implementations that don't require certs, not that there's much demand for that, either.
eyedeekay Mumble?
RN but what about the recycling of sites? i.e. the re-use of registered names by reg.i2p you don't have that same assurance we used to
dr|z3d sure, why not. if that requires certs, presumably the application handles those? not familiar.
eyedeekay I'm just wondering which voice chat you're referring to, the only one I know of that's been slightly successful so far is Mumble
RN if i2peek-a-boo was gone long enough then someone could grab it in reg, regardless if I hold the private keys
dr|z3d if it's registered on stats, then I think it's left alone, but you'd have to ask R4SAS to be sure.
eyedeekay I'm not sure what you mean RN, this shouldn't overlap with reg's process of using the hidden service's own private keys
eyedeekay to make the auth string
dr|z3d RN is throwing a curveball.
eyedeekay Unfortunately I gotta go AFK for a couple hours, I'll be back in a bit
eyedeekay Ah, found the zzz.i2p thread for the last time it came up: zzz.i2p/topics/3303-webtorrent-on-i2p
eyedeekay I wonder why it became today's showerthought. Probably because it could have been distracting.
dr|z3d you look much nicer on zzzmirror.i2p/topics/3303-webtorrent-on-i2p eyedeekay :)
dr|z3d digitally remastered :)
eyedeekay Harpo was the coolest Marx brother.