logo

blog

My little blog can’t be this cute!

I’m removing defaults to eternal cryptographic signatures.xhtml (2471B)


      1 <article lang="en" class="h-entry">
      2 <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures"><h1>I’m removing defaults to eternal cryptographic signatures</h1></a>
      3 <h2>Quick Notes on how to</h2>
      4 <ul>
      5 	<li>git: Make sure <code>commit.gpgSign</code> isn’t set. (system-wide: <code>git config --system --get commit.gpgSign</code>, user-wide: <code>git config --global --get commit.gpgSign</code>, repo-wide: <code>git config --local --get commit.gpgSign</code>). To strip existing commits run <code>git filter-branch</code> on the repositories.</li>
      6 	<li>Email: Disable OpenPGP Signatures in your client if you did (also avoid Protonmail), make sure DKIM is non-existent, you may have to self-host your email</li>
      7 	<li>Fediverse: For Mastodon starting with 2.7.0 (released 2019-01-20 12:40) you should use non-public statuses by default (See <a href="https://github.com/tootsuite/mastodon/pull/9659">Pull Request #9659</a>). Otherwise you can use Pleroma which doesn’t have JSON-LD Signatures.</li>
      8 	<li>XMPP: Do not use OpenPGP or OX, OMEMO seems to have good deniability. I’m not very sure about OTRv3 as <a href="https://whispersystems.org/blog/simplifying-otr-deniability/">Simplifying OTR Deniability</a> (referenced on <a href="https://conversations.im/omemo/">OMEMO’s page</a>) doesn’t mention the version.</li>
      9 </ul>
     10 <h2>Why?</h2>
     11 <p>It’s something that weirdly doesn’t seems very popular in cryptonerds circles. Long-term signatures in a computer world basically is that everything that you send can and will be used against you and people you interacted with or wrote about and there is absolutely no deniability about it.</p>
     12 <p>For example with DKIM: The content of the message is known to not be modified and to have been send by the right provider. What is required? The email and a DNS record (which is usually not changed). No interception whatsover is required. Also this standard absolutely doesn’t help against receiving unwanted messages (aka SPAM), so in my opinion it’s a waste of human time(configuration) and computing power.</p>
     13 <p>Did you ever send a message that can be used against you or someone else? Probably (I surely did, please do not continue on this). Also if it can’t be used against you right now, it might be later.</p>
     14 <p><a href="https://queer.hacktivis.me/objects/1aa27f43-3e99-4a19-89a0-cec3c4d98200">Post for comments and sharing on the fediverse.</a></p>
     15 </article>