/tech/ - Technology★

>>957640 (OP)

RTFM

>>957640 (OP)

>this entire post

>not even knowing how to link posts on other boards properly

lurk more, faggot

>>957640 (OP)

How do any of you incompetent fucks get by in daily life?>>

>>957640 (OP)

One, you are making IPFS look like shit, fuck you.

Second, do some more research, /pol/, so Gitgud will you?

>>957640 (OP)

So trying to understand those posts, I think you're mixed up on how the layers fit together, or what you're even trying to accomplish. So let's back up a bit.

If you want some sort of indicator that files have not been modified, you need someone who can be trusted to say that, and then provide proof of their trust to others. https doesn't authenticate the documents in any way, it only secures the connection. So you'll have to trust the person who received the documents over https which is not what you were hoping for.

archive.{is,fo,today} acts as a trusted site, but hosting the content themselves is a weak point. What they should be doing is digitally signing and timestamping the archive so if you download the archive and they're later forced to delete it you can still prove it wasn't tampered with.

Digital timestamping is also very useful as you can prove content wasn't manipulated to fit a recent agenda even if people don't trust the archival site. You can use a commercial site for this or also the bitcoin blockchain. I used the blockchain at my last company to timestamp our git hashes so I could prove the software existed at a certain time, in case we ever had to fight off kikes claiming they wrote it.

>>957767

Challenge: How do you decentralize web archiving? Assuming we have 3~10 /pol/acks worth of manpower and at least 1TB of storage for each of them?

There already is an IPFS thread: >>915966

of course polniggers go for IPFS instead of anything else just as they do VPN over tor

>>957767

>https doesn't authenticate the documents in any way, it only secures the connection.

Thank you for your genuine response. But, my question here is, first, when we establish a HTTPS connection, we verify that the certificate is authentic (according to the Cert Authority). We then proceed to establish an encrypted connection (not sure on handshake, Diffie-Hellman?) and then the encrypted tx's take place.

Recording the whole process, can we not determine that the response is indeed from the possessor of the HTTPS certificate for that domain? I understand that the Handshake/Diffie-Hellman keys are probably within the client (browser) itself - so we cannot simply just record a raw stream of the transaction Wireshark or similar and then be able to play it back. We'd need to get that handshake key stored within the client itself.

Am I mistaken in my whole concept here?

As you've mentioned with Blockchain, this is only useful to determine that a piece of data existed at a certain point in time (hash and commit), but it cannot prove authenticity/tamperlessness of a response - which is what I'm primarily interested in atm.

Maybe timestamps are actually used somewhere in HTTPS key-exchanges - in which case, that would give us both proof of tamperlessness and timestamp?

Would love some more insight on feasibility of this. The first few responses here glow.

>>957775

Let's treat this as a "Decentralized Archiving Thread" that just happens to propose leveraging IPFS. Apologies for the poor subject title.

>>957768

Once you have a signed archive file from a trusted party you can share it however you want. Doesn't need to be high tech, just traditional web mirrors is fine and isn't fussy for normalfags to read. Could put them each under one DNS address as CNAMEs in case they get taken down or an anon loses interest so you don't have broken links. Don't get caught up in weird technology, the lowest amount of tech is always the best option.

>>957786

>can we not determine that the response is indeed from the possessor of the HTTPS certificate for that domain?

Hmm, you might be able to actually, I'd not thought about it. I'd need to review the handshake. The negotiated DHE session key (there are actually lots of potential ciphers, it's a hot mess) for the client might be under the client's control though, if so it might be worthless as proof. There's also the possibility of forcing the negotiation of a weaker form of SSL without it that would still be usable as proof but since POODLE I don't know how many servers still have old versions enabled. You might want to ask a crypto-specific group not on a chan.

If you could link them in a provable way, it'd need a lot of custom code to make that into something that could be easily shared in a way that people could understand the proof, though. It'd be a custom client, custom proof check, and custom extractor, not something that's recording a live browser session or a way to just hit it with a browser to replay it. I also don't think there's a way as a pure web app as there's no access to the raw stream let alone the session keys, which makes it a bit inconvenient.

>As you've mentioned with Blockchain, this is only useful to determine that a piece of data existed at a certain point in time (hash and commit), but it cannot prove authenticity/tamperlessness of a response - which is what I'm primarily interested in atm.

Yeah, I mentioned it as a separate thing. You'd ideally want both types of proof as it shows there was no way to have created the authenticated data after that point in time, like by hacking the server.

>Maybe timestamps are actually used somewhere in HTTPS key-exchanges

The cert itself has an expiration date but it's worthless because nothing prevents reusing an expired one to forge "old" data. Time really needs a third party to vouch for. There are commercial "e-notary" services that lawyers use for this that just sign a hash with the time, or you can ghetto the same thing up with buttcoin.

>>957819

Also let me add re the timestamp and "hacking the server" thing, the reason why I bring it up is a site wanting to destroy your archive copy could go "lol we got hacked because we set our root pass to blank and they got our expired session keys and can now forge data appearing to be from any time, oh no, guess all your archived proof is now worthless". This kind of shit is why lawyers use e-notaries.

>>957640 (OP)

>I'm going on the assumption that, if a page is HTTPS, we can prove that the transaction is authentic (not spoofed), by recording the HTTPS handshake

No. Encode the address, a file hash, and a magnet/resource link of the WARC in whatever protocol you're distributing it (IPFS isn't private, I'd prefer torrents over I2P) in a bitcoin transaction or other shitcoin blockchain of choice. This establishes the precise, immutable date and authenticity of the archive.

>>957873

This doesn't prove authenticity. What you've proposed simply timestamps MY archive - but does not prove that the response was provided by the server. This was mentioned here:

>>957786

>As you've mentioned with Blockchain, this is only useful to determine that a piece of data existed at a certain point in time (hash and commit), but it cannot prove authenticity/tamperlessness of a response - which is what I'm primarily interested in atm.

>>957819

Thank you - might take this to a crypto group as suggested. I don't think what I've asked here is very simple - yet the first few posts were glowing as though it was.

>>957873

>>957994

>>957820

>>957819

Also remember that alot of sites are geo-fenced or geo-aware. Several legitimate clients will receive several different version based on what ever 'echo chamber algo' they're using (i.e. google youtube vid recommendations). So plenty of archives can be and will be out of sync. To what degree that'll hinder verification depends on how severely you're authenticating. Using a Hash (Sha256) will of course render a ton of differing hashes. Heuristic hashes might work... sort of.

Infrastructure is needed for a 3rd party network of hash signing 'notaries'. Then allowing it to be tied to archival retrievals. You can create a consensus network so that bad apples are apparent the more clients are used to archive a website. And IPFS/DHT clients can easily create a distributed archival pool.

Ipfs can be 'anonymized' by replacing the bootstrap servers with over-tor servers that seed the initial dht peers (which can also exist only TOR or VPN).

>>957775

>>>/trannypol/