IRC log of #maemo for Wednesday, 2018-10-24

*** spiiroin has quit IRC00:12
*** thuttu77 has quit IRC00:12
*** spiiroin has joined #maemo00:13
*** thuttu77 has joined #maemo00:13
*** thuttu77 has quit IRC00:48
*** thuttu77 has joined #maemo00:48
*** Pali has quit IRC01:05
*** Venemo has quit IRC01:12
*** xkr47 has quit IRC01:24
*** xkr47 has joined #maemo01:31
*** florian has quit IRC02:02
*** florian has joined #maemo02:02
*** florian has quit IRC02:19
*** florian has joined #maemo02:29
brolin_empeyWow, apparently even the Web site uses Let’s Encrypt.02:43
*** florian has quit IRC02:50
*** infobot has quit IRC03:22
DocScrutinizer05lol, really?03:29
DocScrutinizer05indeed  X-P03:31
*** Kilroo has joined #maemo03:33
*** Kabouik has joined #maemo03:49
*** infobot has joined #maemo04:31
*** ChanServ sets mode: +v infobot04:31
*** tm has quit IRC05:18
*** tm has joined #maemo05:21
*** luke-jr has quit IRC05:22
*** luke-jr has joined #maemo05:22
*** Kabouik has quit IRC06:01
*** Kilroo has quit IRC06:13
*** LauRoman has quit IRC06:23
*** pagurus has joined #maemo06:56
*** pagurus` has quit IRC06:59
*** LauRoman has joined #maemo07:05
*** povbot has joined #maemo07:33
*** spiiroin has quit IRC07:42
*** spiiroin has joined #maemo08:36
totalizatorwhy not?08:39
*** mavhc has quit IRC09:02
*** mavhc has joined #maemo09:14
brolin_empeytotalizator: No reason not to in my experience and opinion but DocScrutinizer05 has his reasons to buy a certificate instead of using LE.  Personally I like LE because it allows me to automate the process of renewing the certificate.  That is actually a large part of the reason I switched to LE.  The reason for using a computer in the first place is to work more efficiently by having the computer do tedious, repetitive work to save valuable human time for09:29
brolin_empeythings the computer cannot do itself, such as programming the computer.  I do not want to risk interruption of service because I have to manually renew certificates if this renewal process can be automated.09:29
*** hurrian has quit IRC09:31
*** hurrian has joined #maemo09:32
brolin_empeyIn this case, though, I found it remarkable that BMW uses LE because BMW is a large company with broad brand recognition by the general public, not only by engineers.  In my experience, it seems that large companies usually still buy a conventional certificate instead of using LE, at least for their Web sites that I access as a basically English-language monoglot whose travels IRL are limited to Canada, USA including Hawaii and Alaska, and Mexico.09:33
brolin_empeyBut hey, I can speak x86 assembly language and machine code. :-P09:36
*** dafox has joined #maemo09:38
brolin_empeyIt took me around three decades of living in Canada, not Quebec though, to realise that “bonjour” literally means “good day” instead of “hello”.  I thought it meant “hello” because “hello” is usually translated to French as “bonjour” in my experience.09:39
brolin_empeyDo new road vehicles sold in continental Europe have miles on the speedometer?  It surprises me that some automakers, at least Volkswagen and Audi, no longer include miles on the speedometer of vehicles sold in Canada even though most Canadians live close to the USA, where road signs still use miles instead of metric, same as the UK.09:45
brolin_empeyI realised that if the Tesla brand was used for a diesel vehicle then the vehicle may have a “Tesla coil” indicator light. :-D09:50
brolin_empeyDoes anyone from Taiwan say “flag of Taiwan” instead of “flag of the Republic of China”?09:55
brolin_empeyStrictly speaking, there is, as far as I can tell, no flag of Taiwan, only the flag of the Republic of China, which is effectively a flag of Taiwan.09:57
brolin_empeyI mean the current flag of the ROC, not the previous flag of the ROC.09:59
brolin_empeySerious question that I thought of: What do a Commodore 64 or Commodore 128 and a car with an automatic transmission with a horizontally-moving gear selector lever have in common?10:01
Vajbharware restrictions ;)10:02
brolin_empeyOr a typewriter, which is why the early Commodore computers have the thing that is the answer.10:03
brolin_empeyThe answer is (a) shift lock as opposed to a caps lock.10:05
brolin_empeyI do not know if a vehicle with an automatic transmission with a column shifter has a shift lock because I have possibly literally zero experience driving such a vehicle.10:07
brolin_empeyI have more experience with 5.25-inch flexible disc drives than with automatic transmissions.10:08
brolin_empeyVajb: Seriously, though, does any Commodore computer truly have hardware restrictions, other than the write prevent mechanism of the flexible disc drive?  I thought that Commodore usually did not try to restrict the user of their products.10:11
*** dafox has quit IRC10:11
*** eMHa has quit IRC10:16
brolin_empeyIt also occurred to me recently that the automotive industry may have originally had only one manual that covered both using and servicing a vehicle before splitting the service manual from the user manual?10:18
brolin_empeyDocScrutinizer05: What does “DocScrutinizer” mean?  Document(ation) Scrutinizer?  Doctor Scrutinizer?10:24
*** Venemo has joined #maemo10:35
*** eMHa has joined #maemo11:10
Juestobrolin_empey: doctor is most likely, perhaps look it up?11:30
Juestothats a silly comparsion11:31
*** jskarvad has joined #maemo11:42
sixwheeledbeastI assumed Doctor. the issue with certificates is it's a massive chain of trust and if that is compromised somehow it leads to false security. Cert companies have gone bust by blindly or systematically adding certs you loose that web of trust and no one will trust you.12:00
MaxdamantusDo big companies use conventional certificates because they're better, or because that's just what companies have always done?12:08
MaxdamantusYou can probably find a bunch of other technologies that are pretty much only used by big companies, mostly because it's big companies that have been around long enough to still be using them.12:10
Maxdamantusthings like Java application servers come to mind.12:10
JuestoMaxdamantus: companies use standard certificates because its whats trusted and what browsers have built in, they use their own within the trusted well known root certificate that is on the OSes12:11
sixwheeledbeastI would imagine larger companies would be happy to pay for a better known more trusted company. Also they maybe happy with the relationship they have built up with the company.12:11
MaxdamantusJuesto: browsers obviously support LE though, otherwise LE wouldn't be very useful.12:12
sixwheeledbeastIt possible BMW have got new people in to work on there web stack.12:12
MaxdamantusJuesto: “its whats trusted and what browsers have built in”12:13
MaxdamantusJuesto: LE is trusted in the same way as other CAs.12:13
MaxdamantusJuesto: letsencrypt.12:13
Juestooh right12:13
Juestoyeah, LE is pretty recent as far i gather12:13
Juestobut that one likely uses another well known root cert12:14
Juestoapologies for the little confusion i had12:14
MaxdamantusI was under the impression that LE has their own root cert(s), but I haven't looked into it.12:14
Juestogo ahead and confirm?12:15
Maxdamantus"DST Root CA X3"?12:16
MaxdamantusAh okay, that's a certificate from some "IdenTrust" .12:18
MaxdamantusBut that's obviously quite a lot of trust that "IdenTrust" must be putting in LE.12:20
* Maxdamantus isn't particularly familiar with certificates, but presumably they've signed LE's certificate saying they can sign for any domain.12:22
MaxdamantusSo IdenTrust and LE are effectively the same thing here.12:23
Maxdamantus"I trust you to have as much power as I have"12:23
sixwheeledbeastWith all encryption like this you have some public key and private key. The cert co's job is as a third party to verify those keys are correct and valid.12:27
MaxdamantusWell, its job is to vouch for the association of some public key with some domain name.12:28
MaxdamantusI understand how it works in principle, just don't know the details around validation processes, the actual trust delegation, etc12:29
MaxdamantusI can't see something explicitly like "domain: *" in the information about the LE certificate through Firefox's certificate viewer, so presumably the delegation is in the form of something like "Signer"12:30
MaxdamantusI'm guessing it's the "Is a Certificate Authority" part under "Extensions > Certificate Basic Constraints"12:32
Maxdamantusso if a valid certificate says "Is a Certificate Authority", then any certificate signed by that certificate is also valid.12:33
MaxdamantusBut surely there must be other ways to delegate these things, eg, if you have a valid certificate for "*", presumably you can sign another certificate for "", without being a CA.12:34
*** florian has joined #maemo12:37
MaxdamantusGoogle has at least one of these CA certificates too.12:42
Maxdamantusissued by GlobalSign12:42
sixwheeledbeastGoogle have Google Trust Services12:45
* sixwheeledbeast shudders12:51
*** spiiroin has quit IRC13:00
*** florian has quit IRC13:03
*** jskarvad has quit IRC13:05
*** Kabouik has joined #maemo13:05
*** jskarvad has joined #maemo13:06
Vajbhmm I wonder, if company x trusts company y and company y trusts company x. Who is to say that x and y are trustworthy?13:14
Vajbquestion raised while reading a backlog13:15
MaxdamantusVajb: the trust statements are backwards relative to how certificates normally work.13:16
MaxdamantusIt should be "y is trusted by x" and "x is trusted by y", since that's what's in the certificates ("y is trusted by x" -> "y includes a signature produced by x")13:17
KotCzarnyi think vajb wants to know who is at the top of trust13:18
Vajbhmm ok, Im still not quite there yet or maybe what KotCzarny said...13:19
Maxdamantusbut what's imporant is whether you can follow the "_ is trusted by _" relations to a certificate that you're willing to inherently trust, which will happen in this case if either certificate exists in the browser's/OS' certificate store.13:19
Maxdamantusafaik, being a "root" is not really important.13:20
VajbI thought more of as is there company z who says x and y are trustworthy13:21
KotCzarnyno? someone decides who can get in and when and at what conditions13:21
Vajbbut is this more related to blockchain?13:22
KotCzarnyand i suppose those in lower roots have to agree to some root conditions13:22
Maxdamantusunless "root" means "exists in the browser's/OS' certificate store"13:22
Maxdamantusas opposed to being issued by itself.13:22
KotCzarnycertificate stores usually use whatever is popular/"trusted"13:23
Vajbso browser creator gets to decide what certificates his browser has by default?13:26
KotCzarnyunless they use system's one13:26
Vajbor maybe develober instead of creator...13:26
KotCzarnybut since browser's had to be consistent, they bundle certs themselves13:27
Vajbah os has its own certificates too?13:27
KotCzarnysome specific builds might use system's one13:27
KotCzarnyin debianish world they usually come as ca-certificates package13:27
KotCzarnybut curl packs it's own often13:28
Vajbif some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust?13:28
KotCzarnyso basically it's a mess, which wouldnt be a mess in updated and supported distro13:28
KotCzarnybut it would only be used by a that particular app13:29
KotCzarnyunless it goes rogue and modifies system13:29
Vajband that _could_ be possible with, say LE?13:29
KotCzarnynah, LE is different story13:29
Vajbok, Im trying to wrap my head around why it is starbge that BMW uses LE.13:30
Juestoeh, its a standard-ish thing13:30
KotCzarnybecause LE is new kid on the block13:30
Juestoroot certificates are like the root domains, they're on top of the chain13:30
KotCzarnyand we have yet to see how well they manage things13:30
Juestoif LE was a root cert on its own it would have been perhaps a little more exposed/scandalous/newsworthy13:31
Vajbah so it trust exp runs quite low still and it needs few level ups ;)13:32
Juestoits more a service13:33
VajbI see.13:33
Juestodont quote me13:33
Juestoneither rely13:34
KotCzarnyalso, their value gets undermined by a 'free cert for everyone' idea13:34
KotCzarnywhich basically includes malware13:34
*** florian has joined #maemo13:34
Juestowhat a scam(?)13:34
KotCzarnyuser might see 'oh it's a trusted site' without checking who is the owner of the cert13:34
Vajbso should we always check who issued the cert? And even block some certs if they seem dubious?13:37
KotCzarnyno, who owns the cert13:38
KotCzarnyissuers are trusted13:38
VajbI think I never checked any certs13:38
Juestoissuer != owner13:38
KotCzarnybut they might sell/issue cert to dubious entity13:38
Vajbah missed that part13:38
Vajbactually I recall firefox complaining about certs being old in some page13:39
Vajb(I know this is not related to this)13:39
Vajbhmm that13:40
Juestomust have been your clock or your store being outdated13:40
KotCzarnyor old browser without updated certs13:41
Vajbor I was in some shady back alley of internet13:41
KotCzarnymight be that too13:41
Juestooh ya you reminded me13:42
VajbI backed off, if you wonder ;)13:42
Juestoyes some internet connection can cause issues with certs13:42
Juestoand browser warnings13:42
Juestoespecially flaky ones13:42
Vajbhmm can't recall if it was home or with some "free" wlan13:42
Juestothere you go13:43
Juestowifi can be terrible13:43
Vajbyup. That's why I don't use anything sensitive anymore while on free wifi13:45
Vajblike on holidays13:45
*** spiiroin has joined #maemo13:45
Maxdamantus23:28:39 < Vajb> if some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust?13:50
MaxdamantusIn his own store? Then he's just compromising whatever software uses that store.13:51
MaxdamantusThe trust store isn't going to magically replicate to other machines.13:51
MaxdamantusThe rogue developer would need to do something like change what certificates are distributed as part of something like a Firefox package, or curl or ca-certificates.13:52
Maxdamantus(by "a Firefox package", I mean the package used for something like Debian)13:53
*** florian has quit IRC13:53
*** Venemo has quit IRC13:54
MaxdamantusBut ultimately, the "top" of the trust chain is the stuff running on your system.13:55
MaxdamantusSince it's your browser that decides to look in certain places on the filesystem for certificates, and it's your harddrive that decides to return the blocks in the filesystem that happen to be stored certificates, and it's your CPU that decides to execute the browser's code in the correct way.13:57
KotCzarnytop, but still uses trust from the internet13:58
KotCzarnyso not the toppish top13:58
MaxdamantusBut you can say that about any CA, not just the "root" ones.13:59
Maxdamantusand since LE has a valid CA certificate, they're already fully trusted through these chains.13:59
Maxdamantuswhether that trust comes from certificates stored directly in Firefox/ca-certificates, or from another such certificate signing LE's one.14:00
Maxdamantusactually, LE is already such a certificate on my system.14:04
Maxdamantusso it's trusted by both my browser directly, and by DST (which my browser trusts directly)14:06
*** florian has joined #maemo14:24
*** Venemo has joined #maemo14:57
sixwheeledbeastAn issue is something like superfish, someone gets a fake cert into peoples cert store either through browser or bundled by manufacturer. In this example it was a fake Google cert so you think TLS is working. Malware can then MITM your data on your machine, potentially leaving you with your private and public keys written to your drive in plaintext, that's bad.15:49
sixwheeledbeastOlder companies are more trusted and therefore further up the web of trust.15:51
*** Natch has quit IRC16:03
*** Venemo has quit IRC16:37
*** florian has quit IRC16:46
*** Venemo has joined #maemo16:47
*** Natch has joined #maemo17:04
*** eMHa has quit IRC17:12
*** eMHa has joined #maemo17:25
*** florian has joined #maemo17:38
*** Gizmokid2005 is now known as Zombiekid200518:00
*** Pali has joined #maemo18:15
*** Venemo has quit IRC19:18
*** dafox has joined #maemo19:25
*** Pali has quit IRC19:35
*** dafox has quit IRC19:57
*** Kabouik_ has joined #maemo20:18
*** Kabouik has quit IRC20:20
*** Venemo has joined #maemo20:34
*** Kabouik_ has quit IRC20:44
*** LauRoman|Alt has joined #maemo21:21
MaxdamantusWell, the superfish case is kind of analogous to just including actual software that can be considered malware.21:37
Maxdamantuseg, some program that automatically runs and manipulates memory used by web browsers such that it shows websites as being safe when they're not.21:37
*** povbot_ has joined #maemo21:41
*** yosafbridge has joined #maemo21:42
*** RedM has joined #maemo21:42
*** till- has joined #maemo21:43
*** script_ has joined #maemo21:43
*** LauRoman|Alt has quit IRC21:48
*** florian has quit IRC21:48
*** jskarvad has quit IRC21:48
*** povbot has quit IRC21:48
*** Milhouse has quit IRC21:48
*** till has quit IRC21:48
*** grinsekatze has quit IRC21:48
*** kraft has quit IRC21:48
*** r00t|home has quit IRC21:48
*** Oksana has quit IRC21:48
*** RedW has quit IRC21:48
*** ceene has quit IRC21:48
*** yosafbridge` has quit IRC21:48
*** script has quit IRC21:48
*** r00t|home has joined #maemo21:49
*** kraft has joined #maemo21:49
*** florian has joined #maemo21:50
*** grinsekatze has joined #maemo21:51
Maxdamantusnote: the point of the above comments is: superfish is not the fault of any particular trust system, since any trust system is vulnerable to attacks involving control over software distribution.21:53
*** dafox has joined #maemo21:53
*** troulouliou_div2 has joined #maemo21:54
*** troulouliou_div2 has joined #maemo21:55
*** eMHa has quit IRC22:01
*** LauRoman|Alt has joined #maemo22:02
*** __LauRoman has quit IRC22:02
*** Kilroo has joined #maemo22:12
*** BitEvil has joined #maemo22:24
*** SpeedEvil is now known as Guest1773722:24
*** mavhc has quit IRC22:47
*** jskarvad_ has quit IRC22:49
*** troulouliou_div2 has quit IRC22:50
*** mavhc has joined #maemo22:51
*** keithzg has quit IRC22:56
*** keithzg has joined #maemo22:56
*** infobot has quit IRC22:57
*** Milhouse has joined #maemo23:02
DocScrutinizer05>><brolin_empey> DocScrutinizer05: What does “DocScrutinizer” mean?  Document(ation) Scrutinizer?<<  <<-that23:08
brolin_empeyDocScrutinizer05: OK.23:09
DocScrutinizer05lice prolly all Nicks this one got 'designed' by a creative process and been inspired by "Mr Reisenweber eats documents for breakfast<< (quote of a colleague), Frank Zappa's "Joe's Garage", and the character of DocHoliday23:10
*** infobot has joined #maemo23:11
*** ChanServ sets mode: +v infobot23:11
*** peetah has quit IRC23:16
DocScrutinizer05oops, the quote of my colleage actually was >>joerg eats datasheets for breakfast<<23:17
DocScrutinizer05but there's no 3char file extension specific for datasheets ;-D23:18
DocScrutinizer05it's surprising how often the reference to Joe's Garage gets instantly noticed though23:20
*** peetah has joined #maemo23:31
*** eMHa has joined #maemo23:38
*** dafox has quit IRC23:51

Generated by 2.15.1 by Marius Gedminas - find it at!