Wait you guys were getting paid to work on open source?
this post was submitted on 07 Apr 2025
364 points (98.1% liked)
Privacy
36771 readers
248 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
This is it... This is the last straw!!! I was ok with the destruction of free trade, I was ok with the genocide funding, I was ok with the bastardisation of the administrative branch, and I was absolutely okay with the racism!!! But this, THIS??? ABSOLUTELY UNACCEPTABLE!!! As a MAGA supporter, I cannot stand for this any longer! You should be dismantling the minorities, not my website!!!
/s
Make America great again
Trump needs that money for his big boy parade.
The Free Software projects in question: Tor, Let's Encrypt, and F-Droid
Let’s Encrypt
God damn they literally just want to watch everything burn.
I did not knew that Tor was getting funded by the american state. Thats giving me some spooky vibes.
One theory is that Tor was opened to the public by the United States Naval Research Laboratory only to create a crowd of users for their agents to hide in. You need a large enough anonymity set for these sorts of technologies to work.
load more comments
(1 replies)
load more comments
(2 replies)
Elections have consequences. I am no longer on speaking terms w/ trump voters.
load more comments
(4 replies)
the enemy is both weak and strong
The appropriate sequence of events would be:
Trump starts tariffs > People switch to FOSS > Trump cuts funding to FOSS
This really isn't double-speak and, if anything, clearly shows the hostility of the admin. They are just incompetent, short-sighted, and overall an enemy of the people.
Well it looks lime most of us are going to have to step up our donations foe the next few years
You will never approach the amount they receive from government funding. That is the point.
We're going to have to try or potentially lose the project
Let me spell it out for you. Trump has removed our cyber defenses and now he's defunding FOSS projects like Tor and Let's Encrypt!…
Now Trump wouldn't know a FOSS project from a hole in the ground but do you know who does? What world leader who has an entire cyber attack force on his payroll and wants to remove any barriers in finding dissidents who are probably using Tor to coordinate and hide from them?
Do the math. If the government funding of these projects is allowed to be removed it's gonna be a whole new ballgame on the internet and the only ones to reap the benefits are the dictators.
the guy is literally a political front for techbros, it's not like he would do something else.
Those mf build their empires on the back of open source.
Tech bros are only interested in getting the results from open source. They want the free software from their slaves, they aren't interested in paying anything.
Tech companies, for a while, added a bit to open source as it was in their own self interest, but they still shut out everything that wasn't them, they still make the internet in the horrible stonewalled garden that it is today. No account? Half the internet isn't accessible to you anymore
Fuck all the big tech and social media companies
Tech bros are only interested in getting the results from open source
That's why we need the GNU AGPLv3
As far as Let's Encrypt goes, the easy way to solve that is self-signed SSL certificates and Tofu. Just make it stupid obvious if an SSL certificate changes on a site that you go to. Like, turn your browser into a giant red screen that says that the security of the website has changed and may be broken obvious. Maybe you could have search engines also index SSL certificates so you could see if Google and Bing and DuckDuckGo and whoever else all say that this website has the same SSL certificate that it has had for X amount of time and if the search engines start showing different results you get suspicious.
Edit: Using self-signed certificates and tofu fits better with the decentralized ethos of the original web anyway since you're not relying on some third-party authority to tell you what's safe and what's not.
i don't think this is a good idea. govs could just set up a big reverse proxy for lots of sites to serve them with their own certs, and you wouldn't know
Seems like no change from right now, because currently the certificate authorities are centralized entities, which could be pressured by governments to add their own certificates.
How about a Blockchain or Directed Acyclic Graph (DAG) out of SSL certs 🤔
I think that would finally be a use case for that tech, lol
A blockchain to verify ssl cert keys and changes may work. Though idk how consensus would be secured.
If you issue a certificate, you proof ownership via * challenge–response test that is validated by each node. If x% (like eg. 70%) of nodes agree that the test is passed, the block counts as validated and can be placed onto the chain. (Each node places the block on their chain and the hash must be same as hash of chain of majority of nodes)
Never heard of tofu before (the software). What is it?
I had heard about DANE and how that would help in scaling back the need for big CAs but I could never grasp how one would do that. Do you know about it? I'm looking for someone to explain it to me.
Tofu stands for Trust on First Use. So basically, you would get an SSL certificate from the website the very first time you connected to it, instead of trusting a certificate authority. Then, if the SSL certificate changed, you would then be warned that the certificate had changed and would have to decide whether to trust the new certificate or not trust the new certificate. That's why I said perhaps search engines could index certificates and tell you how long the certificate has been active and you could check several engines quickly to determine whether each engine has the same certificate indexed for the same website and if they did not then you would know something might be up.
I don't feel like this adequately accounts for stupid people though. The number of times I've seen people freak out over a perfectly legit website because a cert warning popped up or others who have ignored the warning and clicked through to a scam or malware... 🤦♀️
Decentralization comes with some casualties, and stupid people might just be those casualties.
Oh, this is certainly complex logic (for the search engine I mean).
Well, it really depends on if you want somebody to trust or not. If you don't want to trust anybody except yourself, then you can just use Tofu and be good with it. The only reason I brought up using search engines as an index is just to give people a place to look.
If I want to visit CNBC and I've never visited them before, I could just go straight to CNBC and trust their certificate right away. Or, if I wanted to confirm that the CNBC certificate was likely valid, I could ask DuckDuckGo, Google, and Quant. And if they all agreed that they had the same certificate that I was getting, I'd be more likely to think that it's valid.
This is actually a great idea. Is there an opensource implementation of it?
Well, you can just generate your own SSL certificate on your machine, locally. I believe you can probably do it with OpenSSL. I've only done it with my Monero node, and they offer a binary, which will generate a certificate for you. I would just look up how to create a self-signed SSL certificate. My guess is it's just a few commands in the terminal.
No, I meant the logic where the browser would prompt the user to review and verify the cert for a particular website without consulting a CA. I run some self-signed certs already but I'd love to implement this in my homelab.
Oh, that was an idea for a way to do it. Not anything that's been implemented, or at least not to my knowledge.
This is terrible news, anyone know of alternatives to let's encrypt?
they have more sponsors and won't go broke because of this
load more comments
(7 replies)
view more: next ›