-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-12-17 18:33,
Tai...@gmx.com wrote:
> How come you guys use cloudflare?
The main reasons are:
1. A core tenet of the Qubes philosophy is "Distrust the
infrastructure," where "the infrastructure" refers to things like
hosting providers, CDNs, DNS services, package repositories, email
servers, PGP keyservers, etc. (This includes Cloudflare, of course.)
We focus on securing the endpoints instead of attempting to secure
"the middle" (i.e., the infrastructure), since one of our goals is
for users to have to entrust their security to as few entities as
possible (ideally, only themselves).
Users can never fully control all the infrastructure they rely
upon, and they can never fully trust all the entities who do control
it. Therefore, we believe the best solution is not to attempt to
make the infrastructure trustworthy, but instead to concentrate on
solutions that obviate the need to do so. We believe that many
attempts to make the infrastructure appear trustworthy actually
provide only the illusion of security and are ultimately a
disservice to real users. Since we don't want to encourage or
endorse this, we make our distrust of the infrastructure explicit.
2. It's free (as in beer). We'd have to spend either time or money to
implement a solution ourselves or pay someone to do so, and we can't
spare either one right now.
3. It has low admin/overhead requirements, which is very important,
given how little time we have to spare.
> They have a dangerous monopoly on internet services and
> discriminate against people using VPN's and the like, by insisting
> that you enable javascript and perform a captcha even for simply
> viewing a website and by subverting them a hostile actor would
> effectively own most of the internet.
I'm not sure about VPNs, but we explicitly whitelist Tor exit nodes in
Cloudflare, so there should be minimal (if any) CAPTCHAs if you browse
our website over Tor (which is much better for strong privacy than
using a VPN).
As for enabling Javascript, this shouldn't be much of a problem for
Qubes users, since they can simply use a DispVM, or have a dedicated
VM for untrusted browsing.
In general, though, I agree that Cloudflare has some undesirable
qualities. If you're aware of a similar solution that doesn't suffer
from these drawbacks (and that satisfies the three requirements listed
above), then by all means, please let us know.
> They also have a curious policy in regards to protecting terrorist
> websites, I do not think that that is done out of some want for
> total freedom of speech as that reasoning wouldn't mesh with the
> other decisions they make.
I don't know anything about this, but if it's true, it's certainly
troubling. Again, if you're aware of a similar solution that doesn't
have such problems (and that satisfies the three requirements listed
above), then by all means, please let us know.
> Pre-emptive q/a: "it is okay because we have gpg key verified
> downloads" Which is fine, until someone changes the signature
> files and the key id that users should fetch.
This is why users are explicitly instructed to verify key fingerprints
using out-of-band (i.e., multiple) channels:
https://www.qubes-os.org/doc/verifying-signatures/
> "web of trust key signing protects you" Which again, is fine,
> until the key server you use runs cloudflare as well,
We don't really rely on WoT so much as verifying key fingerprints, but
isn't the point of WoT that it doesn't have to assume trustworthy
keyservers?
> or you're stuck at the catch-22 of verification with trusting
> trust and besides most users don't check that anyway.
Are you referring to the classic "Reflections on Trusting Trust"
paper? It's not clear to me what you have in mind here.
> "without cloudflare someone could just get a corrupt CA to issue a
> fake cert so hey it doesn't matter" And that would be detected
> with certificate patrol.
There are still a lot of infrastructure-related problems (i.e., attack
vectors) that this doesn't rule out, like an attacker gaining access
to the server itself.
> "but....you ask for a change that may only provide minor
> protection!" Security isn't about 100%, it is about layering until
> you are not the path of least resistance - 99.9%
True, but it's also about the cost-benefit analysis, and in our case,
the costs of implementing and maintaining a solution ourselves are too
high right now.
I can't tell which incident this is referring to, but, in general, I
think the principle of distrusting the infrastructure applies here.
> Other associated problems: * The
qubes-os.org site certificates
> are only 2048bit, not good enough.
My impression is that many reputable cryptographers would disagree
with that assessment, but, at any rate, it would seem that the
principle of distrusting the infrastructure again applies here.
> * The mailing list uses google groups, instead of better
> self-hosting that doesn't give google whatever it is they're
> getting from it.
The same three reasons I gave above for why we use Cloudflare also
apply to using Google Groups. (This has come up many times over the
year, so you may want to take a look at previous threads in the list
archives.)
P.S. - Please send your message to only one list next time. I'm
replying on both lists so that this message doesn't appear to be
ignored on one of them, but please direct any further replies only to
qubes-users (and, optionally, individual thread participants).
iQIcBAEBCgAGBQJYVggJAAoJENtN07w5UDAwvGYQAIjz/g2nrnqPrnQYojxosFl0
KjngTrgwLlMYgwOjlin2YFuZh0dAtmRepoGg6rTAsSshaaBikRtFq/0nPrwM/gz2
4gqdHozRYSkjxDck1fgk996cRPioB3QaCnBOGsAPFTB16cnKmA+AlFiAyh74UFoh
wuNFHAO0dNl+MhSB1zV6O+MA+SH7VItomD9LoZc7ICFtnAeGKUTPweSFx1Whhft3
L+56jHyxLKV/lSFmPADFXzpJi+sl6WKD/H64grhK7Ie7hj+0558vZaKPDew2VVE2
ilP7vqXkZEX5k/6CpXlIMzxVexFyazapCilvNZKVdYdk0RDE1qDDXXqU6m11Mu3f
Qf6xYlJHS8ZrY7Kf9eXYrlHNKV5abmMjpG5OPwfRNcLRcUrBSVcMhzq/jKuXVKFW
wVXvH2qmCykOtmxEat9Wpg9UOSzlgYCzplmxER4OoRRdfgGEHgOLNPoIxduAIJt3
xK0Wv7jS1PwqvCuOZy77sTePeWuhfGhkzAXdH/kpjWpDehypV14Ab1Awj727rYec
B5GP2X2BBQt8lsJhKEB9sQDVw68JD4OrbAOhUq5fagWTxhWWbB/q15a+xiiNZJnP
Ll8NS7LoyT7yC/coYAh779lcx5/vrj9rpQd8vnnP8nwVkb2IE+eCYBR/wiLV5lJ7
l9ymHOlFcKzPzRnk/5as
=nJSV
-----END PGP SIGNATURE-----