General TC > General TC Talk
tinycorelinux.net does not support SSL, Chrome blocks downloads
CentralWare:
"Secure" has numerous definitions based on who you ask.
SSL simply encrypts data between two (or more) points - there have been US presidential candidates (no names need be mentioned :) ) who somehow thought just because something says SSL is SECURE doesn't mean the press isn't going to have a field day with your emails!
Encrypting publicly available downloads --- it's a pure WASTE of BANDWIDTH as SSL just adds fat to the download since the file itself is public domain. It's not a "secret!"
Encrypting downloads that contain personal content (ie: zip files or scanned images of your identification, banking records, etc.) WOULD be something you'd want to encrypt.
G00GLE wants to make everything online SSL-IDENTITY based when in fact, it's because of places like Let's Encrypt (free) that every crook on the planet can afford an SSL cert of their own, so what's the point of Chrome pretending there's "safe" anything :) Don't get me wrong, Let's Encrypt is awesome... but trying to force the planet into submission? Sounds an awful lot like the Shockwave/Flash demise to me!
@Curaga: If we HAD to comply... why not utilize mirror links which DO have SSL implemented? (https://distro.ibiblio.org/tinycorelinux/14.x/x86_64/release/CorePure64-14.0.iso)
gadget42:
@CentralWare, thanks for taking the time to post that since there are many who don't understand the particulars.
Dies Irae:
While we're on this subject of secure..
What are the thoughts about adding signify, noting that there are various flavours (predominantly due to adding fields), for which we perhaps could choose OpenWRT usign (which cost them a mere 11K when installed).
Recall that the computational overhead here would be minimal, the idea is that we can cryptographically verify a small file that is basically an hash+info of the extension. Once we know the hash is good, we assume that the file matching that hash is also good. OpenBSD (whom sanely rejected the idea that https solves everything in life) proved the idea is sound and inclusive to all, OpenWRT's implementation isn't new (had eyeballs) and is invested in being small and lightweight.
The entire dance is probably even cheaper than a https handshake/exchange (and alleviates everyone from fears such as as today, while even pre-preemptively swiping pro-https arguments off some potential table). Potential match made in heaven?
curaga:
TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.
Dies Irae:
--- Quote from: curaga on March 06, 2024, 10:44:22 AM ---TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.
--- End quote ---
After giving this response considerable thought, I can't, for the life of me, come up with any other implied benefits, other than of course the purpose: that a man in the middle (like the public internet wifi access in a super market of cafe or numerous other places OR some Iranian govt (and similar)) can not trivially infect a tinycore instance, by *simply* passing it the wrong md5 and infected matching tcz extension.
For equivalent example, I also don't see any other implied security of openwrt (for example) using signify, while I assume one wouldn't run openwrt on their laptop in a cafe, like one would use your cloud-os tinycore.
What other implied security features did I not think of?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version