Hacker News new | ask | show | jobs
by nsxwolf 4707 days ago
Thank you! That looks really good. Now, what if I'm paranoid by a CA being compromised? Are there any pitfalls to me acting as my own CA and issuing my own certificate - provided the people I'm planning on talking to trust me?
2 comments
bigiain 4707 days ago
Self signed certs, along with the handholding required to get your intended users to install them on their devices (probably not too big a deal for a tech crowd - perhaps not something I'd jump at for a "family and friends" targeted system).

At that level of paranoia – I'd question the appropriateness of relying on a "cloud VM". If you're worried about compromised CAs, perhaps a RaspberryPi (or similar inexpensive device) on your home net connection - with a write-locked SD card to boot from and a usb drive mounted with no-exec - and firewalled up the wazoo. Who knows how many guys have Snowden-like access to the VM hypervisor at n-random cloud hosting provider? Inside your "server", all the cleartext and metadata is readily available to root, and to root on the hypervisor as well.

link
nsxwolf 4706 days ago
Now I'm wondering if I can accomplish what I want with iChat Server on OS X Server. I have an old mini laying around.
link
bigiain 4706 days ago
For appropriate levels of paranoia and/or "I'm doing this right just because", I'd hesitate a little about choosing OS X or Windows as an OS. Once you've allowed them to connect to the internet, they both do a surprising amount of "phoning home", and who knows what "the mothership" is capable of being coerced into making them do.

I'd lean much more strongly towards Linux or even one of the various BSDs if I were doing this. I'm not about to audit all of the Linux/OpenBSD code myself – but I'd feel somewhat more comfortable with them knowing the code is at least available for me to review and that there's a much smaller chance of the NSA or FBI being able to "lean on" enough people to be able to keep backdoors undisclosed.

(Having said that, if you've got a "spare" Mac and are comfortable with OS X, you'd almost certainly be able to set up a system that's "secure enough against ubiquitous recording-of-all-traffic" surveillance, and if the NSA chooses to target you specifically, you've probably got to admit your privacy battle is lost from the start…)

link
GiHe 4707 days ago
Helping friends and family install your self-signed root certificate can be less than fun, especially if they have lesser computer skills and a variety of browsers (and mobile operating systems).

My gut says that StartSSL is about as anti-NSA as they can be, but you never know ...

link