|
|
Subscribe / Log in / New account

Exploring LibreOffice 7.0

Exploring LibreOffice 7.0

Posted Aug 21, 2020 9:53 UTC (Fri) by Sesse (subscriber, #53779)
In reply to: Exploring LibreOffice 7.0 by emorrp1
Parent article: Exploring LibreOffice 7.0

There are tons of high-profile replacements! It's just that there's no one-size-fits-all, because the GPG model isn't all that useful. (Note that this isn't about the crypto at all, it's about usability of the model.)

For talking to something centralized, use HTTPS. For secure messaging, use Signal. For sending files, use magic-wormhole. For backups, supposedly use tarsnap, except tarsnap is expensive if you have too much data.

to post comments

Exploring LibreOffice 7.0

Posted Aug 21, 2020 13:18 UTC (Fri) by emorrp1 (guest, #99512) [Link] (3 responses)

Thank you for reminding me of the alternatives. I wouldn't say https is really an end state, there seems to be a lot of tweaking around the edges still ongoing, like 1.3, esni, doh, quic. Signal = lib(meg)olm in the messaging case, 100% agreed there and I don't know much about magic-wormhole, will have to look into it.

> isn't about the crypto at all, it's about usability of the model

Yes, I thought that's we were actually talking about usability, but I just included it to be clear about why I think there might be a lot of online pushes to avoid GPG, without not actually broken.

Exploring LibreOffice 7.0

Posted Aug 21, 2020 23:16 UTC (Fri) by NYKevin (subscriber, #129325) [Link]

HTTPS might not technically be "done," but that doesn't matter because:

- Users are actually using it.
- Webmasters are actually using it.
- Neither the user nor the webmaster needs to know anything at all about how the cryptography works (although the webmaster does need to follow simple instructions for how to configure their software to use the right set of cipher suites).
- While it may be undergoing further changes, there are multiple widely-deployed implementations of both clients and servers, and all of these implementations are capable of talking to one another with minimal or no difficulty.
- The changes that are happening are almost universally backwards-compatible with older implementations. Even today, you can run netcat google.com 80, type "HEAD / HTTP/1.0" followed by two newlines, and get a reasonable response. (Yes, this is HTTP and not HTTPS. But it's the same story on the HTTPS side, that's just harder to demo.)

Exploring LibreOffice 7.0

Posted Aug 22, 2020 2:26 UTC (Sat) by tialaramex (subscriber, #21167) [Link] (1 responses)

Of the things you listed:

TLS 1.3 is finished, published, widely used.

ESNI is a potential new feature addition which has anyway been obsoleted by ECH (Encrypted Client Hello) and the latter remains under development. So yes you can't have ECH today, but, GPG doesn't offer anything like this, if you hide the envelope of SMTP email it's undeliverable, even if the true identity of the intended recipient remains securely PGP encrypted somewhere.

DoH and all of DPRIVE are completed and actively in use.

QUIC is a new IETF protocol, over which HTTP/3 might run, but that doesn't mean you can't use HTTP/2 today, and millions of people do.

Magic Wormhole is mostly the observation that you can do secure file transport for humans with easy to use primitives plus a PAKE. If you haven't seen a PAKE before that's pretty interesting, but the rest is nothing at all new, it's embarrassing other systems weren't already this easy. It does rest heavily on the _human_ though. PAKEs statistically lose a determined fraction of the time against an active adversary. A human will get sick of the Magic Wormhole not working after at most a handful of tries, but if you let an infinitely patient machine use one obviously a machine will cheerfully do billions attempts and eventually leak the file to a determined and similarly automatic adversary.

Exploring LibreOffice 7.0

Posted Aug 25, 2020 12:13 UTC (Tue) by Lennie (subscriber, #49641) [Link]

And supposedly you can't use Encrypted SNI in China:

https://www.zdnet.com/article/china-is-now-blocking-all-e...

I think the article is probably wrong/misleading based on other reports I've seen: TLS1.3 supposedly works, but Encrypted SNI doesn't.

Encrypted SNI is the experimental variant uses by through th Cloudflare/Firefox collaboration:

https://blog.cloudflare.com/encrypted-sni/

Exploring LibreOffice 7.0

Posted Aug 21, 2020 13:52 UTC (Fri) by LtWorf (subscriber, #124958) [Link]

> For secure messaging, use Signal.

Ah, a centralised non federated protocol that disallows modified clients and that has no real desktop client.

Some people prefer to use regular computers as opposed to crippled computers.

Exploring LibreOffice 7.0

Posted Aug 26, 2020 15:25 UTC (Wed) by gfernandes (subscriber, #119910) [Link]

Really? Tons?

Come now. Let's be realistic. There's only one *practical* way to do encryption in a decentralised way - asymmetric encryption. Which is basically PGP/GPG *and* the Signal protocol. Yes Signal is asymmetric encryption. Not really miles away from PGP, although more user friendly. But then, your laptop typically doesn't have a SIM card to set up using the Signal protocol, or someone would've done it by now.

HTTPS? Seriously? And where would you get your certificates from? Let's Encrypt?

While it seems like a trivial problem to solve, it's actually very hard to be secure and user friendly at the same time.

C'est la vie.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds