As part of our work, we will sometimes put a new system under scrutiny in order to provide constructive feedback, and/or clear up a widespread misunderstanding that could lead to problems down the road (for example, see our series on Certificate Transparency).
Today, we continue this tradition by reviewing one of the lesser known details of the Zcash cryptocurrency. A few days prior to publication, we reached out to the Zcash team and asked them to review this post for accuracy. We thank them for subsequently posting more details about Zcash’s trusted setup.Continue reading →
Thanks to insightful feedback from John Light, I realized it would be good to do a regular Turtle Status Letter in order to keep our followers and supporters abreast of our activities and decision-making process. We now plan to do one every year.
On Monday, the Internet received another reminder about its sad state of security. It was discovered that Dell decided to compromise their users’ Internet security in a way that’s difficult to top.
As elaborated further in this post, Dell, in tandem with Google, made it possible for anyone on earth, you or me, to break every single type of HTTPS connection that Dell users were making (including HPKP connections)—shiny lock icons be damned. Their reason? Continue reading →
Slack is a popular team communications application for organizations that offers group chat and direct messaging for mobile, web, and desktop platforms. While Slack offers many benefits to customers, there are also downsides to using the platform, including high subscription fees and the risk of a massive leak of private data if Slack’s servers are ever breached (again).
Today there are a growing number of open-source Slack alternatives available for people who want to avoid the trap of walled gardens and have more control over the security of their data. As part of our own search for a self-hosted Slack alternative, we reviewed the options out there.
Blockchains are difficult to run on most end-user devices.
Although MITM-proof proxies are a great way to address this problem, they are unlikely to scale well to all Internet users (not everyone will be able to run their own full node). Therefore, most people will need to rely on thin client techniques to reduce the trust placed in such proxies.
This week Google learned of another batch of fraudulently issued certificates for several of their domains. At the end of the post they made a renewed call for Certificate Transparency. In this post, we’ll use the acronym CT to refer to Google’s implementation of the general concept of certificate transparency, and we’ll explore other technologies that also provide it. Continue reading →
It’s important to remember, however, that this project is not really about new bells and whistles. It’s about what kind of a world we want to live in, and for us the answer is clear: we want to live in a free world, and that means addressing these problems:
The Internet is being used as a battleground to wage “cyber war”. Much of our infrastructure relies on TLS to protect us, but its protection is undermined by X.509, a system that forces everyone online to trust the bad apple.
Websites rely on TLS/HTTPS to protect them, but it does a very poor job. Even worse, it’s common practice for websites to pay for this “non-protection” (although, thanks to StartSSL and Let’s Encrypt, it’s no longer mandatory to pay).