Tell HN: Sci-Hub's TLS certificate has started failing
Sci-Hub started failing earlier today with a SEC_ERROR_REVOKED_CERTIFICATE error, which affects all alternative Web addresses. Don't know about .onion.
Is this some kind of planned maintenance, or a sign of further trouble?
153 comments
[ 1.9 ms ] story [ 201 ms ] threadPlus, they won't remove the functionality to manually trust a cert (Business Users would complain).
Firefox has implemented the same rules around .dev tld's as google. I use vivaldi when accessing internal company .dev domains because firefox won't let me tell it to accept the self-signed certificate.
[1]: https://github.com/google/easypki
Well, another argument in favor of not overloading TLDs for internal domains, then, and just buying an additional domain if you really want to have separate internal and external domains.
Slowly ostracising and forcing "compliance" of those who don't toe the line is easier than before. They want you to be obedient sheep, living in an illusion of security and safety while continuing to mindlessly consume under their control.
I will resist the urge to post that memorable Franklin quote.
* ads on page
* seeing all internet traffic to enhance targeting
The real conspiracy would be to know a better system and not tell anyone. Which is like sponsoring scientific discoveries and then hiding those behind a pay wall. Oh wait again.
What do you mean "listen"? CAs can invalidate certs at will, but, they have no mechanism to listen on communications (unless you give them your private key, but, then anyone you give your private key to can eavesdrop).
The CA system has lots of issues. It would be a pretty big conspiracy if there were thousands of people that knew of something better and said nothing. But, there is absolutely no proof that anyone has any idea how to do better than the CA system. Do you know of such a system or have any evidence that someone else does? Google, despite their flaws w.r.t. privacy, has done quite a bit of work to improve the CA situation - Certificate Transparency, for example.
A court seizing a domain thereby invalidating a cert.
> What do you mean "listen"?
If I accept a custom cert, but don't validate the key, I might as well use none, basically. That's the extent of my knowledge, I don't know what Certificate Transparency is doing, for example.
> The CA system has lots of issues. It would be a pretty big conspiracy if there were thousands of people that knew of something better and said nothing. But, there is absolutely no proof that anyone has any idea how to do better than the CA system. Do you know of such a system or have any evidence that someone else does?
> It would be a pretty big conspiracy
Exactly, so why do you expect that twitter sized post could it explain it convincingly?
> if there were thousands of people that knew of something better and said nothing
Ironically, it might be the ability to censor communication to suppress such voices, however hypothetical that is, that triggered the GP.
> But, there is absolutely no proof that anyone has any idea how to do better than the CA system.
PGP is used with key exchange in real live. I'm not using it, just arguing for the sake of the argument. It has problems, too, but "better" is not a binary value , except in the limited scope of the specific problem. PGP doesn't need root CAs.
Edit: already noted by detaro https://news.ycombinator.com/item?id=16952051
EDIT:
IE and Firefox say "insecure".
What really annoys me: There does not seem to be any way - none that I could find - to get IE and Firefox to connect anyway?
Firefox 59
In Firefox, I think you can only by disabling the check (Preferences → Advanced → Certificates → Query OCSP ...). You probably don't want to keep that disabled, though.
Alternatively, Microsoft might have had something to do with it (they're super anti-piracy, and have a contract with all the CAs that requires them to unilaterally revoke any cert at Microsoft's discretion), but I think that's far less likely than the court order.
source?
> If Microsoft, it its sole discretion, identifies a DV Server Authentication certificate is being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.
Hell no, and neither does microsoft.
Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...
In the broader sense, this is one downside of the shift towards Lets Encrypt and CAs being more interchangable: increased power of the root stores relative to them.
Sometimes that's good, sometimes it's evil.
In small-scale disputes MS (and other browser vendors) would not have to nuke an entire large CA to get their way. In principle they could just blacklist the individual certs/names, leaving the CA's other certs alone.
That ability/implied threat probably does mean that the CAs tend to comply with MS piracy/copyright-related revocation requests, because refusing to comply would piss off MS (and possibly law enforcement) without actually stopping them from getting their way by other means.
I'm sure they could challenge it if they wanted to step on to US soil which, in this case, probably isn't such a good idea.
LE are a US corp, subject to US laws, and at the whim of US court orders. The implications of that are worth gaming out.
Our laws are (arguably) mostly fair. But there are cases where they're not.
Picture a world where an administration rises to power in the US on a platform that seems insane, but everybody endorses it anyway. And this platform just so happens to be against the sort of thing you're trying to do on the internet.
Sci-hub are stealing. We as a community are mostly fine with that. We don't consider it stealing, because the moral good outweighs the bad by a hundred to one.
But this isn't about Sci-hub. This is about a world in which we're free to do as we please, because we have the ability to decide what we want to do. If we want to make a site that can make information available, and someone else doesn't like that information or feels that they own it, what do you do? You have no power.
And when you blindly put your faith in institutions like Let's Encrypt on their platform of openness and trust, you set yourself up for a shift: One day you wake up and find out you were mistaken, and we were all mistaken to push this centralized model in the name of security and convenience.
And of course, that's the fundamental truth, isn't it? Liberties have always been eroded by pushing security and convenience.
We should think carefully about who we trust, and why.
That's precisely the main concern here, given the nature of SciHub.
For instance, I recently consolidated my personal projects and site onto one server. I needed a single certificate that'd cover two domains. Digicert combined two of my orders into one certificate with two wildcard SANs. You wouldn't be able to do that with LE.
Edit: I was under the impression you couldn't do multiple wildcard SANs in LE but according to some forum posts it's fully possible as long as validation passes.
Sharing a (wildcard) certificate between multiple servers.
At any point in history, have CAs revoked certs solely to censor a target website?
Maybe the answer is yes. I don't know. But this is a rude wake-up call for me and everyone else who tried to force the world into this shape.
We've all been shouting "You have to use TLS! It's fundamental security 101. If you're not using https, your site is probably broken. And there's no reason not to do it, since it's so easy."
Surprise: Now nobdoy trusts http, and those that control https can revoke their trust based on arbitrary human morals rather than solid technical reasons.
I was a pentester for years and not once did anybody mention this threat anywhere. It's blindingly obvious in hindsight, but it was too easy not to think about it.
Let's Encrypt is in the exact same position. Why do we trust them? Think about it -- they're under US jurisdiction and subject to US laws. The government could compel them to revoke certs.
We're lucky that it's just a minor annoyance. Picture a world where no major browser renders http at all, and the only way to get a site online is to have a trusted cert.
This is not far from reality: If the Magic Leap turns out not to be vaporware, they're going to be launching a DRM-powered internet that can't be adblocked. And that means we'll all be subject to government whims far more than we'd like to admit.
Really the issue is that decentralization isn't very compatible with convenience and people generally place a lot more value on convenience than things like Sci-Hub.
So it's not technically infeasible to have networking gear drop any connection which doesn't chain back to a government-approved root?
Yse, and that is a very scary thought. China is doing something similar already.
Only on old TLS versions. TLS 1.3 changed it so the server certificate is also encrypted.
Whether the traffic is authenticated or not, ISPs block sites when instructed by government orders. And that is much harder to work around than a revoked TLS cert (although a revoked cert does mean "totally blocked" for almost all users).
These are not purely technical challenges, but rather political issues that must be addressed as such. We will always lose to our governments if we focus only on technical solutions to censorship.
I'd like to add that the USA government, for the most part, does not accept an absolute right to private communication. The possibility of ubiquitous end-to-end encrypted communications with tools like TLS and WhatsApp is not something we should take for granted. The USA matters here because we are the powerful nation with the strongest legal and cultural commitment to freedom of speech.
Revoking certs from US CAs is probably the new DNS seizure, post- encryption and TLD expansion.
Although hopefully it'll die a quick death when they realize it's ineffective.
SEC takedowns have happened for years without relying on TLS.
Connecting from St. Petersburg Russia.
[1] https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
You can temporarily work around this by disabling 'Query OCSP responder servers to confirm the current validity of certificates' under Privacy & Security in Firefox.
Edit: The author registered Stripe Inc. in a different state than the payment processor and acquired an EV cert which got revoked.
In fact, it's my objection to computation illiteracy being acceptable in general amongst users. Devs and agencies cannot be trusted not to screw with things. If the average Joe cannot understand what is going on behind the curtains, they aren't free.
Freedom is a scary thing to many groups, and unfortunately, more and more we are seeing the pendulum swing further and further away from the Internet's original intent: to facilitate the fast and open communication of information. I want to say free and open, but unfortunately I have trouble being able to maintain that level of idealism anymore.
Usability became more important than flexibility. And intuitive operation prioritized over ease of learning.
There's a lot to be said for a harder to use computer with a learning curve, but which affords you more power to be a creator instead of a consumer at the end of the curve.
I'd go so far as to say that's better for us (as in, all humans).
Making computers accessible seems like a completely reasonable, sound priority. Yes, computer literacy is something we all need to work towards, but we'll never be in a world where the average person understands PKI, and saying that we should limit accessibility until they do is absurd.
My point is: it should be possible to use something without fully understanding the minutiae of how it works. We call this “user interface design”.
You should be allowed to live in a house without a full understanding of the architectural details that prevent it from falling down.
https://en.m.wikipedia.org/wiki/Navier%E2%80%93Stokes_equati...
2000 years ago: "we'll never be in a world where the average person can read and write English"
I doubt this is even the point of GP.
Example:
Teaching fundamental abstractions before basing education on one set or another.
Teaching fundamental program sets/basics of toolchains (Think scripts, text editors, and intro to program compilation.)
Teaching fundamental protocols.
Teaching about infrastructure.
Teaching how to do X in Windows/Mac/Linux.
IN THAT ORDER. Notice that that curriculum, while it would likely have to choose one OS or another based on circumstances, focuses on what you can DO with a computer, and lays a foundation through which the neophyte user can begin to understand what a computer and the NET really are.
The NET isn't a pretty screen. It isn't one company's search engine, it's the means by which info goes from HERE to THERE. A computer isn't some mere calculator. It is an extension of our minds (and should be civically treated as such, but that's another post).
I can die happy if within my lifetime, my occupation in the tech industry becomes "unskilled" labor. For I will have contributed to finding a way to elevate mankind to a me level.
Why is this problematic? Why is more people having access to computing a bad thing? This is a dangerous, and (dare I say) elitist opinion. We're seeing positive impact, every day, thanks to the ubiquitously available computing resources.
If you'd like to use a computer with a learning curve, use a computer with a learning curve. Don't drag the whole world with you.
It might be a bit to deep an argument but where do you think intuition comes from? If we design peceaved reality after existing intuition you get a giant feedback loop that calls for ever more unrealistic representations.
Mabe an analogy can be had with electronics being mostly paralel processes while we can barely figure out how to implement it in higher languages. Our intuition likes the 1 thing at a time approach.
But then, of course, intuition is more useful for some people. For those people, no one is stopping you from digging into the engine itself. This is really the price discrimination idea applied to utility: offering a cheaper, easier to use interface (taking the bus) means now the bus is useful not only to the engineers, but the passengers as well.
The situation about computing is not really that much different. If you want to learn the internal of computers, Gentoo exists, feel free to use it. But should everyone use Gentoo? Not really. I'm probably more proficient in Linux than the average developer, but I don't see the need of using Gentoo myself either.
That is not to say we can't do better either. The signature design for SQLAlchemy is leaking abstractions (but in a good way). The average dashboard for a car today is way more complicated than the dashboard of a car 70 years ago. Yet, that's not stopping car ownership to grow. Maybe there's a lesson for us somewhere there as well.
Where'd you get that from?
I think the Internet's original intent was to do it "because we can". Everything else came afterward.
The open part can be pedantically removed in the case of ARPAnet, but I've not met anyone who confuses the Internet with ARPAnet. The Internet, as it came to be called in the 90's with the rise of the World Wide Web, WAS at it's core 'open'. Pretty much everyone I've met who was around and working on the ARPAnet saw it as a foregone conclusion it (a network based on the lessons learned through ARPAnet) would be going public in one way or another.
Now you have! :) Unless you don't count online interaction.
That reasoning drove the majority of computer technology progress during the 1980s and 1990s. It wasn't until AFTER the birth of the World Wide Web did mainstream businesses start to really look at monetizing this new market, and in a symbiotic way hackers and nerds and geeks started crowing about altruistic philosophies like decentralization and how information "wants" to be free.
Why are you surprised that humans are being humans?
Why can't you put trust into the fact that there are more people being good most of the time.
Internet tools should be like paper and pencil, opinionless. Pencil maker doesn't get to control what gets written by the pencil, a social media platform maker doesn't get to control what gets said on the platform. Only when legally required, the pencil may be seized; only when legally required a social media post be taken down.
If with the protection and power of USA we can't stand by the Freedom of Expression in the marketplace of ideas, we are doomed to get an authoritarian overlords.
This "I don't like this free and open internet" because my ideas are losing is very dangerous power grab.
(If there is a lawyer in the house who could let us know otherwise, that would be awesome).
The Supreme Court, however, has been reticent to apply any interpretive oomph to the idea that electronic message sending represents the same type of "private correspondence" that a snail mail letter represents.
In fact, if anything it has generally leaned in the opposite direction. The SC has ruled that sharing personal or private information with a third party thereby nullifies your expectation of privacy and protection of your information by due process. This happened in the early days of telephony I think.
"But that is only from the Government's point of view!", I hear from the gallery...
Yes... Unfortunately it does set a societal precedent through the institution, however.
I mean, if as an arbitrary business, I can hand your information to the government and they can make use of it, then surely I am free to share data I have about you with other people\businesses?
Once that becomes legally acceptable, and people are willing to pay me for as much info as I can give, suddenly the economic incentive is to collect and sell as much information as possible. Note that this isn't a tech problem, but a social one.
As long as we don't take a stand by making law to cover the issues of electronic activity being considered "protected correspondence" with a reasonable expectation of privacy, we will continue to see these blatant invasions into our personal affairs by business and government alike.
The thing that will hold back that lawmaking though is that there are some VERY deep pockets that would see incredibly vast revenue streams dry up by passing something like that.
One could see places like Alphabet, Microsoft, Facebook, and the other Silicon Valley darlings doing everything in their power to convince both the government and the populace that doing something like that would be a terrible idea.
And they would be right to a degree. Many "free" services would have to switch to to a subscription model or something similar, and it could mean major cutbacks for many tech companies that haven't matured enough to diversify away from an ad supported business model.
I can't speak for anyone else, but to me, that is a small price to pay to establish a right to the privacy of the exercise of our wills in the electronic realm. Thinking in the Internet age is truly an inspiring thing to behold. However, the Net that enables this capacity for collective thought is just a tool. We will get out of the Net what we as people put into it. To me, the Net has always been about empowering and uplifting every person by putting the collective knowledge and wisdom of humanity at each person's fingertips before anything else. One should always come away from the Net having found something, but at the same time, one has the right to use the Net and not have anything TAKEN. A "Right to Lurk" as it were.
If I had to choose something as the basis for a new Constitutional Amendment, it would be something that would explicitly codify the expansion of the legal "expectation of privacy" to encompass all electronic forms of communication, commerce, and assembly; protecting the aforementioned from search and seizure by the government without due process. It wouldn't do anything for SciHub sadly, but it would be a step back in the right direction in terms of curbing some of the more demonstrably harmful ills the Net has facilitated in our society.
P.S. Sorry for the mind dump. It felt great. If you are still reading, you're awesome.
Going forward the ability to trust information will matter as much as physical safety. We're starting to build institutions that regulate that for us, CAs are one of the first.
Depending on where you stand this is either a success or a failure of institutional trust.
Government has a monopoly on the legitimate use of force.
Weber claims that the state is the "only human Gemeinschaft which lays claim to the monopoly on the legitimated use of physical force. However, this monopoly is limited to a certain geographical area, and in fact this limitation to a particular area is one of the things that defines a state."[2] In other words, Weber describes the state as any organization that succeeds in holding the exclusive right to use, threaten, or authorize physical force against residents of its territory. Such a monopoly, according to Weber, must occur via a process of legitimation.
https://en.wikipedia.org/wiki/Monopoly_on_violence
This is mis-read by many Libertarians, including Charles Koch,[1] who directly funds a wide set of Libertarian institutional propaganda mills,[2] that this invalidates government. It does not.
Absent a monopoly, there are multiple parties that claim legitimacy over use of force, including lical strongmen, tribes, or corporations, for all of which there is an extensive history of same (including Koch Industries, to the present).
Government's monopoly is not for unlimited use of force, but for legitimate use.
And if some alternate structure emerges claiming this right, it is, ipso facto, government.
It is also possible for actual or nominal governments' use of force to be illegitimate. Which it rather frequently is.
________________________________
Notes:
1. https://www.marketplace.org/2015/10/21/business/corner-offic...
2. Amply documented, see: https://en.wikipedia.org/wiki/Political_activities_of_the_Ko... https://www.sourcewatch.org/index.php/Koch_Brothers
He has an opinion, I have an opinion, you have an opinion, Charles Koch has an opinion... everybody has an opinion.
At some point, the answer to questions like this always comes down to "God," or "Nobody," or "Whoever has the most money/biggest weapons." It's an unsatisfying debate.
Koch uses this as his justification, but misstates and apparently misunderstands the concept. This is his prior, the lynchpin of his argument, and it is mis-applied.
The sentiments of Weber are not inconsistent with a long prior line.
Your "God or Nobody" presumption is incorrect. The principles also arise out of systems studies and ontology.
Setting aside the legal/ethical underpinnings..
Is the issue here that people are worried that an SA can revoke a cert or that it will be harder for the layperson to get to this particular site?
And yes, the impact is that many people lose access. Or need to access via HTTP instead of HTTPS. Which exposes information about what they access. Unless the use the Tor onion site, which is maybe beyond most people's skills.
0) https://crt.sh/?id=274083328
I wouldn't go rushing to blame Comodo for kowtowing to publishers' demands until Alexandra tells us that's what actually happened...