undefined | Better HN

0 pointsgwu789y ago0 comments

Do you like to make all sorts of assumptions about users, what software they use, what software they "should" use and what software "no one uses"?

I don't. Unlike many forum commenters, I do not try to convince people what software to use. I am not telling any users to stop using SSL. (Even though I strongly dislike it myself.) I am only addressing SNI, an extension to SSL that has become widespread in recent years.

Unlike you, I am not making presumptions about other users (except perhaps that some value privacy). They might know about some software I don't. I do not conclude "Well, that's all I can think of, so it must be everything that is worth considering."

If someone asks me how to do something using SSL libraries I am always going to say I would not use those. I am just being honest. Next time I will not mention CurveCP. Then they will ask: So what would you use? If I say anything other than SSL/TLS, they will attack my choice even if they know nothing about it.

A lot of very popular software is poor quality. That is my opinion. I do not choose software based on popularity. Sorry for not comporting to your assumptions.

Pre-SNI: Domainnames encrypted. Post-SNI: Domainnames unencrypted. Fact. That is not the only reason a user could dislike SNI. But it is the one that is applicable to this news event.

I think it is for users to decide whether they like SNI or not. And in my opinion silence does not necessarily mean they approve.

0 comments

johncolanduoni9y ago

I really don't care what you do, my only "assumption" was that you claimed, repeatedly and loudly, that privacy advocates should step away from SNI and that SSL was "so flawed". You didn't start making your statements only apply to yourself until you ran out of arguments that people should do just that.

Also I went looking for TLS libraries released in the past ~10 years without SNI, my only "assumption" about users was that there were myriad of other reasons why you wouldn't want a decade old TLS implementation (the biggest one being security). If you have a more recent example, I'd love to hear it.

If you don't want people to ask for evidence when you make general statements like you did for quite a while before you decided this must be a personal attack, then don't tell people quite clearly what they should do if they care about privacy.

gwu78OP9y ago

"I really don't care what you do..."

Then why comment? One user expresses dislike for SNI and you feel compelled to respond? If you have your own reasons for liking SNI you could have stated them, but you did not.

If I do not like SNI, then why would you care? My reasons are my reasons.

SSL-enabled software has to be "updated" because SSL-enabled software did not support SNI since 2003. It spread more recently. The reasons behind this I leave as an exercise for the reader.

As a user, I have no need for SNI. It is annoying for multiple reasons. Leaking hostnames is among them.

I am still able to use many websites that do not require SNI. They are no less "secure" by virtue of not enabling it. And the software I use is no less secure for not supporting SNI.

johncolanduoni9y ago

I say it one last time: because you didn't just say what you do, you told other people what to do if they cared about privacy. If someone (not you, or me, this isn't a private chat) took that seriously, and you are wrong, you are at best spreading FUD. Don't expect me (or anyone else) to assume you are right that SNI is a significant threat to privacy based on your super-secret reasons that totally exist but you refuse to share.

1 more reply

j / k navigate · click thread line to collapse

0 pointsgwu789y ago0 comments

Do you like to make all sorts of assumptions about users, what software they use, what software they "should" use and what software "no one uses"?

A lot of very popular software is poor quality. That is my opinion. I do not choose software based on popularity. Sorry for not comporting to your assumptions.

Pre-SNI: Domainnames encrypted. Post-SNI: Domainnames unencrypted. Fact. That is not the only reason a user could dislike SNI. But it is the one that is applicable to this news event.

I think it is for users to decide whether they like SNI or not. And in my opinion silence does not necessarily mean they approve.

0 comments

johncolanduoni9y ago

gwu78OP9y ago

"I really don't care what you do..."

Then why comment? One user expresses dislike for SNI and you feel compelled to respond? If you have your own reasons for liking SNI you could have stated them, but you did not.

If I do not like SNI, then why would you care? My reasons are my reasons.

SSL-enabled software has to be "updated" because SSL-enabled software did not support SNI since 2003. It spread more recently. The reasons behind this I leave as an exercise for the reader.

As a user, I have no need for SNI. It is annoying for multiple reasons. Leaking hostnames is among them.

I am still able to use many websites that do not require SNI. They are no less "secure" by virtue of not enabling it. And the software I use is no less secure for not supporting SNI.

johncolanduoni9y ago

1 more reply

j / k navigate · click thread line to collapse