quandyalaterreux

quandyalaterreux wrote

I know this is 3 months old, but to call PM a "security train wreck" is not justified. Pale Moon separates application from content in its code. The "sandboxing" aka e10s applied by Firefox is the real security train wreck. Most of the security bugs in Firefox are actually in e10s. Ironic how a security feature becomes insecure.

The point of a sandbox is so that a single exploit to your browser tab doesn't lead to an RCE. With e10s you need both an exploit to the browser AND the sandbox for you to get an RCE. Firejail is of course not sufficient.

The other elephant in the room is that modern browsers are millions of lines of codes with a big list of dependencies, and to provide any meaningful security requires full teams to just keep up with the pace. Unfortunately I don't think Pale Moon has enough people to handle that and they should be honest about it.

3

quandyalaterreux wrote (edited )

She didn't say that plaintext was better, she said that one shouldn't idealise tor as a 100% safe tool to conspire with!

Of course no one is idealizing tools here, nothing is perfect. There are bugs, there are known longstanding issues that affect all anonymity systems (not just Tor). But the way they were framing the discussion made it look as if not using Tor was the preferable course of action.

2

quandyalaterreux wrote

The US government runs like 1/3 or more of the relays.

[citation needed], go to tor-relays mailing list to get familiar with who actually runs them.

It's right on the website FAQ that the network is not designed to handle a committed global adversary with limitless financial and logistic resources. Correlation attacks are not difficult for such global actors.

Even with a global adversary you're better off using Tor (if you disagree please tell us to go directly plaintext so we can laugh at your suggestion).

Signal, it scans your whole contacts list.

I agree that metadata is important, but Signal does make significant effort at making it private, and your assertion here is blatantly false:

In addition to the end-to-end encryption that protects every Signal message, the Signal service is designed to minimize the data that is retained about Signal users. By design, it does not store a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars. https://signal.org/blog/sealed-sender/

(see https://signal.org/blog/private-contact-discovery/ for the technology and https://signal.org/bigbrother as a case in point).

3

quandyalaterreux wrote (edited )

All the information that is relevant to what i am saying is public information, offered by the developers themselves. you don't have to trust the specific authors, it is just a conversation starter.

Can you point to where you find this evidence in public information and how you synthesized it from it?

I am not spreading FUD...

Yasha Levine is a known FUD spreader, and you're sharing his offensive idiocies which make a accomplice to the charge of FUD spreading.

1

quandyalaterreux wrote

Signal and Tor are in various ways, known and suspected, compromised to state-level actors in USA, and probably the rest of the 14 eyes. This is because they were designed and marketed by CIA front agencies.

Where's your evidence? The best evidence we have from the Snowden leaks indicates that Tor is the king of privacy (and he still recommends it to this day). For Signal: https://signal.org/bigbrother/

You can't just slap a few FUD claims with non-technical innuendo and expect us to move back to plaintext and just accept our doomed fate.

1