SwiftOnSecurityEnd-to-End encrypted chat apps don't help when you're chatting with the FBI
(Via @klong)
https://www.businessinsider.com/fbi-says-agents-thwarted-plot-take-out-marylands-power-grid-2023-2
Joelle (Lonkelle) 
Joey de Villa 🪗@SwiftOnSecurity At Microsoft, where Scott works, there are a lot of private conversations with Satan. And on Satan’s favorite chat app, Teams!
Sheldon@AccordionGuy OMG, you mean everytime I rebooted, my laptop was opening up a highway to hell on startup? Figures.
Matěj Cepl 🇪🇺 🇨🇿 🇺🇦@sysop408 @AccordionGuy Well, if you use FreeBSD, then your situation is quite serious.
Toby@SwiftOnSecurity @shanselman I just assumed that is what the S stood for
Cassandra Granade@SwiftOnSecurity @shanselman Corollary: You may be having a private conversation with the school gossip.
Andreas Ringdal@SwiftOnSecurity Satan sounds better than the alternatives over there https://thesatanictemple.com/
The Satanic Temple - Official Website
The Satanic Temple encourages benevolence and empathy, rejects tyrannical authority, advocates practical common sense, opposes injustice, and undertakes noble pursuits. The Satanic Temple uses Satan as a symbol of the eternal rebel fighting arbitrary authority and oppressive social norms.
stux⚡️@SwiftOnSecurity @shanselman Very true!
Anyone can request a free SSL cert or buy one, or two or a gazillion 
Kevin Karhan 
@stux @SwiftOnSecurity @shanselman *nodds in agreement*
And whilst I've prefered if #CAcert and it's #EV-alike #identification & #assurance would've taken ocer instead of #LetsEncrypt, I'd rather see a sloppy "free #SSL for everyone" than paywalling of said feature.
@stux @SwiftOnSecurity @shanselman that being said the #FBI literally spread #Govware like #ANØM and eavesdropped 3+ years on criminals before busting them with #OperationIronside / #TrojanShield.
This Phone Was Designed By The FBI To Catch Criminals - Anom Phone Hands On
@stux @SwiftOnSecurity @shanselman I mean it's really funny how trivial #TechIlliteracy of #OrganizedCrimebjad been exploited...
https://www.youtube.com/watch?v=eeN5ao43L-4
https://www.youtube.com/watch?v=eeN5ao43L-4
Custom FBI 'Google Pixel' Reads Messages...
@stux @SwiftOnSecurity @shanselman
And despite #ANØM & #EncroChat they'll continue buying up the same bs under different brand names.
https://www.youtube.com/watch?v=qq9wnMXvgOc
Special Operation Ironside - explainer animation
Steffo 
@kkarhan I still look back at the "free web hosting provider" where I had my website a few years ago. They charged money for a LetsEncrypt certificate.
Now I host my websites with a paid provider, so I learned my lesson 😅.
@SteffoSpieler I'm still mad about big corporations - espechally Microsoft and Apple, but also Mozilla - cockblocking #CAcert back in the day yet being total supporters of #LetsEncrypt when in fact the latter one does nithing against abuse and literally issues certs to everyone with no records but CACert which exceed "Extended Validation" in most cases get denied recodnition despite having excellent InfoSec & ITsec.
@kkarhan sorry if that sounds stupid, but I don't understand completely what you want to say 😓
My English isn't the greatest and when using many abbreviations and terminology I reach my limit quite fast.
Is it bad that I use LetsEncrypt?
@SteffoSpieler no, it's better than no SSL whatsoever.
I just think that it's proving the reservations against #CAcert to be flat-out lies, since #LetsEncrypt doesn't do any verification whatsoever.
jan Susu (MOVING INSTANCES)@SteffoSpieler @kkarhan I think what they are saying is LetsEncrypt has issues because they just give certificates out to everyone without caring what is done with them and they still get recognized, while a different organization got blocked by big corps.
So no, its not inherently bad to use LetsEncrypt, they are just mad that they were treated better than another org despite being worse.
(ofc correct me if I misinterpreted you)
So no, its not inherently bad to use LetsEncrypt, they are just mad that they were treated better than another org despite being worse.
(ofc correct me if I misinterpreted you)
Eunakria@stux @SwiftOnSecurity @shanselman it doesn't matter if it's free or not. certs should be free, to be clear, but certs being paid doesn't do much about the fact that, you know, bad people still have money
it should be the way it is because everyone deserves privacy, regardless of ideology. that's the baseline. there's no system where only good people's conversations are private and bad people's conversations aren't. we can work from there to prevent bad people from doing bad things
jnbhlr@SwiftOnSecurity @shanselman "this should be private" would be even more precise. Certificates might have been stolen or other bad stuff might have happened
Pero@SwiftOnSecurity @shanselman
wait a sec,
I don't just know it's private
on HTTPS I also have a guarantee that I'm talking to the host that is in my browser address bar
HamishH 
@SwiftOnSecurity @shanselman ah, back in the days when it was still fair to say SSL is ok. People still refer to SSL these days when they mean TLS. Drives me around the bend.
mkb@hamisec @SwiftOnSecurity @shanselman I am betting SSL as a term is here to stay. We still talk about albums of music, video footage, and disk space.
@mkb @SwiftOnSecurity @shanselman hmmm... That is a fair point, except that there are still orgs out there using SSL today in places that really shouldn't be. If you're actively in favour of deprecating something in the name of safety, it can be a bit grinding hearing other professionals referring to it as if it is still acceptable or safe.
Aaron Huslage@SwiftOnSecurity @shanselman Assuming you don't trust Satan, of course.
James Bannan@shanselman @SwiftOnSecurity The Devil Is In The DMs
En3pY - Sebastian Zdrojewski@SwiftOnSecurity @shanselman and yet marketing is selling it the worst possible way. The more you hear the word "secure" in a single sentence, the less you should trust it 🙂
Emre Sağlam 
@en3py @SwiftOnSecurity @shanselman you might also validate the entity of satan by looking at its certificate!
@emresaglam @SwiftOnSecurity @shanselman exactly. I bet he's using an EV certificate. Guy has standards and a reputation. It's all in the details.
Nerd That Talks Good@SwiftOnSecurity the dark lord is a good listener.
Mikie@SwiftOnSecurity @shanselman Maybe but the odds are against satan being on the other end.
💡𝚂𝗆𝖺𝗋𝗍𝗆𝖺𝗇 𝙰𝗉𝗉𝗌📱
Steve8282
Colton Wolkins@SwiftOnSecurity @shanselman My favorite thing to do is be my own root level CA to create SSL certs that perform MITM attacks against games and their external APIs before the servers are shutdown and the game becomes a dead game...
I have yet to succeed in reviving a game this way, but I really want to do so one of these days.
Bill Seitz@SwiftOnSecurity @shanselman "this is private in transit"
Matt Moehr@billseitz @SwiftOnSecurity @shanselman lotta coffee shops in hell so preventing the satan-in-the-middle attacks is good practice
@SwiftOnSecurity @shanselman before being sold-upon-delivery to Experian and Facebook
ManfredAt least a conversation with Satan is likely to be more private than with God. With the latter it can show up in a Bible before you know it.
@SwiftOnSecurity @shanselman So true...
Jake Robb@SwiftOnSecurity it’s private, and, usually (often enough that you can generally be confident that) the entity on the other end is who they say they are.
Steve (hacks the) Gibson
Binder🅅@SwiftOnSecurity @shanselman
before LetsEncrypt... it was 'supposed' to mean trust this.
LE broke that.
throAU@SwiftOnSecurity @shanselman it doesn’t even really mean “this is private” it just means “this is encrypted in flight to this other endpoint”. Which may be a proxy.
Alex Weinert
Aly-Bocar
LisPi@SwiftOnSecurity @shanselman Yeah, I stand by my statement the other day.
LisPi (@[email protected])
@[email protected] @[email protected] Or really, in general. The #PKI system is hopelessly compromised by various governments. What you can mostly rely on it for is to keep interactions relatively private between endpoints, but certainly not ascertain /who/ is controlling an endpoint.
Eclectic Miscellanea
Anja
ConsoleWitch@SwiftOnSecurity @shanselman and it doesn't even mean private anymore if you've let your fascist corporate security dictators install zScaler or iBoss on your computer.
Berkubernetus@SwiftOnSecurity @shanselman I would hope that ANY conversation I have with Satan is end-to-end encrypted.
That's okay. Soon, the EARN IT act will make everything nice and simple and you won't have to worry about this little conundrum!
Sophie Schmieg@SwiftOnSecurity @shanselman I respectfully disagree with this screenshot. https and TLS (as opposed to chat apps) do try to provide authenticity through (web)PKI. Whether they succeed at that is a different question, but the goal is definitely "trust this", as evidenced by the fact that the root CAs are literally called trust anchors.
Farce Majeure@sophieschmieg @SwiftOnSecurity @shanselman I think an important disconnect is what to trust it *for*.
Tony Finch@vathpela @sophieschmieg @SwiftOnSecurity @shanselman “trust” is a slippery word … if you trust something you are vulnerable to it breaking that trust; trusted does not imply trustworthy
Tim Hergert
spaf@Cjust @SwiftOnSecurity @shanselman
I came up with that analogy 30 years ago, and it is still pertinent. The full quote is at https://spaf.cerias.purdue.edu/quotes.html
@spaf @Cjust @SwiftOnSecurity @shanselman though nowadays all sorts of stuff is done over the web that involves amounts that are definitely the sort that if it were in cash would call for an armoured car... could be more efficient to switch to the right tool for the right job, but from the unsophisticated user end it's impossible to tell if we're driving the armoured car or the skateboard without little purpose-made signs all over the dashboard telling us which is which
Ursidinoj/The Bjornsdottirs@SwiftOnSecurity @shanselman Satan's pretty cool, idk about you
JuMi@SwiftOnSecurity @shanselman HTTPSatan and Satan Sockets Layer