Yep, CAs are complete fuckery.
2015 Hacker's Manual Recommended Security Toolchain
Thomas Morgan
Isaiah Morgan
I switched to LUKS after its developers vanished without trace. Miss the hidden volume feature sometimes though. Veracrypt seems nice but I already got used to LUKS when I first heard about it.
was compromised. Cryptocat devs are incompetent morons who shouldn't be let anywhere near computers.
archivecaslytosk.onion
The rest is secure as far as I'm concerned, especially GPG. Until proven otherwise of course.
HTTPS is not the same thing as TLS. HTTPS relies on TLS to provide privacy and data integrity and certificate authorities to verify otherwise unauthenticated public key exchange.
Parker Rivera
I'm not sure where you got HTTPS from. Admittedly it was unclear whether I meant the protocol or OpenSSL, but both are garbage -- the protocol is an overcomplicated turd and OpenSSL is so well-trodden territory by now that I'm not going to go into detail.
Ethan Carter
TLS itself doesn't rely on CAs as far as I'm concerned so I simply assumed you were talking about HTTPS.
Benjamin Young
I actually can't think of anything that uses TLS without CAs on the spot. Tor, maybe? I vaguely recall something in that direction but that might be wrong. Distros usually use GPG.
Julian Peterson
SSL can still be stripped and connection can be downgraded. Session hijacking (sidejacking) tools like Faceniff were prevalent. There was a tool called SSLstrip you could use in conjunction with arp spoofing or DNS spoofing. Back in the say there was a really fun tool called subterfuge for this. The vuln related to sslstrip was fixed. sslsplit became the new tool. I'm not sure what tools people are using these days. I'm sure SSL can be defeated to this day.
TOR was originally funded by the DoD and was developed for Naval personel send secure communications from countries that they were never supposed to be in. There are ways to de-anonymize TOR users. There was a metasploit module for this. There have been numerous methods of attacking TOR in the past. It is likely there are numerous methods of de-anonymizing TOR users. Also numerous TOR nodes are owned by law enforcement.
True Crypt had some issues with a weakness in encryption. There are numerous other tools for creating encrypted containers. Also even with weak encryption you can put one encrypted container inside another or encrypt a file over and over again each round with a separate password or key.
OTR. Anons like it. Never used it personally.
GPG is still trusted.
CryptoCat. Questionable. Dude who invented it was murdered.
Tails. I could never get it to work.
If you want a really secure network find a VPS service that doesn't LOG and accepts cryptocurrency as payment.
You can chain SSH connections and forward other traffic through SSH. You can also use a proxy between each connection. Probably have issues with timeout. That or just set up a VPN on a VPS server offshore.
Using heavy encryption is likely to get you monitored. Since agencies can basically hack you with indemnity these days if they can't break your encryption and intercept your transmissions they will probably try to hack your endpoint and exfiltrate data directly from your system.
Julian Powell
...
Carter Turner
good post, you know your shit
Bentley Richardson
Tails is insecure, because it uses systemd. I'm not a cracker, but I guess they use only minimalistic software, that can be trusted - less code, less bugs.
Colton Wilson
2015 TrueCrypt
2019 VeraCrypt