eyedeekay
I had a potentially hare-brained showerthought about how to do TLS for I2P sites without forking a browser or running an in-I2P CA of our own
eyedeekay
It's probably not that much work
eyedeekay
github link to an explanation: github.com/eyedeekay/TLS-Somewhere
eyedeekay
I'll post an I2P link as soon as I get it mirrored
dr|z3d
hare-brained, or hair-brained schemes don't inspire much confidence, but I guess we should wait for the payload :)
eyedeekay
It's a genuinely crazy idea and I probably won't put that much time into it unless there's a great deal of interest but hypothetically it's not *worse* than anything we've already got
eyedeekay
But the premise is very counter-intuitive. Basically what it would do is create a deliberately useless CA that could be used to sign any certificate, and then use a browser extension to reject that CA for all non-I2P sites.
eyedeekay
I'm both sure it's crazy and sure it would work
dr|z3d
hmm, that sounds pretty dubious.
dr|z3d
if the point is just to bypass the self-signed click through, it might work, but of course you're then reliant on a browser extension which isn't great.
dr|z3d
but you're defeating 99% of the purpose of the certificate, which is to verify the authenticity of the connection.
eyedeekay
Agreed, for clearnet sites, but for hidden sites I'm just moving it back where it already was
dr|z3d
where it already was? a global fake cert isn't quite the same as a self-signed cert.
dr|z3d
what's the objective? to fix gitlab requirements for https?
eyedeekay
Where it already was would be the hidden service's private keys IMO
dr|z3d
I don't understand the motive, and I don't agree with the reasoning. If we don't *need* certificates on the network, then we don't need them, because the private dest key provides the same level of security or better.
dr|z3d
Which is why I'm asking what the objective is.
eyedeekay
the objective isn't just gitlab, I can just tell people how to add the self-signed CA for gitlab, my goal is to provide a solution that works for every self-signed certificate and differentiates between I2P and non-I2P self-signed certs
dr|z3d
so in essence all you're proposing to fix is the click through for self-signed certs on the network, the number of which you can probably count on one hand?
dr|z3d
if that's the case, I'd suggest that your time is probably better spent elsewhere, like ditching gitlab and migrating to something less monstrous :)
eyedeekay
If there were no barrier to entry, then I think the HTTPS would be useful for many kinds of I2P sites, and more importantly, browsers are making more and more things functionally inaccessible without HTTPS,
dr|z3d
sure, if we could implement a solution that didn't require browser addons or fake certs, then it might be useful, not least to enable some https only features like http/2 or 3.
dr|z3d
otherwise, I don't see much demand for it, given we already have our own encryption layer. there's not much demand for it on Tor, either, though they have the added advantage of being able to install legit certs.
eyedeekay
The figure I got at CCC is that something like 30% of the real-world-onion's have real-world-TLS-over-onion now
dr|z3d
presumably real-world being corporations running mirrors on Tor?
eyedeekay
Yeah
dr|z3d
so not really relevant to I2P.. if there are actual corps with a presence on our network, they haven't made any noise to suggest they'd like TLS support.
dr|z3d
and if they did want TLS support, you can rest assured they wouldn't be happy with a global fake cert.
eyedeekay
Well, unlike the other solutions I'm pretty sure that this one will still work without a browser fork when we do need a solution
eyedeekay
So it can sit on a shelf
dr|z3d
put it in the STTA tray and let it marinate :)
dr|z3d
"something to think about"
eyedeekay
My prediction is that there will never be anything *less* complex than a browser extension for modifying the behavior of TLS on I2P sites and even that gets really weird as you can see
eyedeekay
With the possible exception of a real CA issuing certs for I2P sites
eyedeekay
Everything else requires forking a browser which is always a mess
eyedeekay
But until we can't live without it, on the shelf it goes
dr|z3d
nothing less than a genuine CA authority issuing certs is going to satisfy any corporate interests on the network. without that, I don't see the point.
dr|z3d
if the new i2p.special certs or whatever the tld is could include .i2p domains, I'd be all for offering support in the network.
eyedeekay
webtorrent?
eyedeekay
Voice chat in the browser?
dr|z3d
fake certs don't buy us anything here that we don't already have in my opinion.
eyedeekay
So for the 2 examples I just gave, you have to have not 1 TLS certificate but 2, and not only that, but you need to have one of those TLS certificates be accepted non-interactively
eyedeekay
webtorrent requires you use wss to communicate with the tracker
eyedeekay
Well not webtorrent per se but browsers
eyedeekay
And in-browser voice chat requires the use of a server which the peers use to exchange address information
dr|z3d
we don't need webtorrent support, we already have a torrent client in the browser that serves the same purpose.
eyedeekay
No it doesn't
dr|z3d
(more or less :))
eyedeekay
The advantage of webtorrent is that you can embed the resource directly into a web page
eyedeekay
I can sort of hack something together that does that on top of a browser extension but IMO it's really not the same
dr|z3d
as for voice chat, we have an anonymizing network overlay and alternative voice-chat implementations that don't require certs, not that there's much demand for that, either.
eyedeekay
Mumble?
RN
but what about the recycling of sites? i.e. the re-use of registered names by reg.i2p you don't have that same assurance we used to
dr|z3d
sure, why not. if that requires certs, presumably the application handles those? not familiar.
eyedeekay
I'm just wondering which voice chat you're referring to, the only one I know of that's been slightly successful so far is Mumble
RN
if i2peek-a-boo was gone long enough then someone could grab it in reg, regardless if I hold the private keys
dr|z3d
if it's registered on stats, then I think it's left alone, but you'd have to ask R4SAS to be sure.
eyedeekay
I'm not sure what you mean RN, this shouldn't overlap with reg's process of using the hidden service's own private keys
eyedeekay
to make the auth string
dr|z3d
RN is throwing a curveball.
eyedeekay
Unfortunately I gotta go AFK for a couple hours, I'll be back in a bit
eyedeekay
Ah, found the zzz.i2p thread for the last time it came up: zzz.i2p/topics/3303-webtorrent-on-i2p
eyedeekay
I wonder why it became today's showerthought. Probably because it could have been distracting.
dr|z3d
you look much nicer on zzzmirror.i2p/topics/3303-webtorrent-on-i2p eyedeekay :)
dr|z3d
digitally remastered :)
eyedeekay
Harpo was the coolest Marx brother.