Saidit.net Canary #13
submitted 4 years ago by magnora7 from (self.SaiditCanary)
view the rest of the comments →
[–]elephant-movement-2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 4 years ago (6 children)
Where's the signature?
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 4 years ago (5 children)
The signature is the fact it's posted from the magnora7 account
[–]elephant-movement-2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 4 years ago* (4 children)
Yeah, that's not good authentication. Not good enough for something as critical as a warrant canary.
Edit: also, you should consider making your canary less broad. For example, if you got a gag order over something trivially stupid that did not actually compromise the integrity of this site, then you couldn't publish your canary nor explain to users what was going on, causing unnecessary panic and assumptions of the worst (ie: people think your https key was given to Mallory but really you just had to give an IP address to the FBI of someone who just threatened another school shooting)
See riseup's experience with this https://riseup.net/en/about-us/press/canary-statement
[–]magnora7[S] 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 0 fun6 insightful - 1 fun - 4 years ago (3 children)
If they can post from my account, we have much bigger problems than the canary
[–]elephant-movement-2 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - 4 years ago (2 children)
How many authentication bypass vulnerabilities in web applications were discovered in the past 10 years? It's no substitute for an air gapped computer used to cryptographically sign warrant canaries with GPG.
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 4 years ago (1 child)
How many authentication bypass vulnerabilities in web applications were discovered in the past 10 years?
How would that make someone NOT post a canary over a 2 month period? If I was completely locked out of my own account for 2 months then that would mean we've completely lost control of the whole website anyway, so the signature would be redundant.
[–]danuker 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 3 years ago (0 children)
A GPG-signed canary would allow you to publish authenticated messages irrespective of the security status of the website.
The only attackers that can fake a valid signature from a consistent key are the ones that have access to the computer used to sign.
use the following search parameters to narrow your results:
e.g. sub:pics site:imgur.com dog
sub:pics site:imgur.com dog
advanced search: by author, sub...
~2 users here now
SaiditCanary
view the rest of the comments →
[–]elephant-movement-2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (6 children)
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (5 children)
[–]elephant-movement-2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (4 children)
[–]magnora7[S] 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 0 fun6 insightful - 1 fun - (3 children)
[–]elephant-movement-2 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (2 children)
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (1 child)
[–]danuker 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (0 children)