/hydrus/ - Hydrus Network

I couldn't get https://hydrus.tumblr.com to load, not sure why, but I have updated the others. Thanks for letting me know.

>>1259

>>1255

> 2015 + Tumblr + https == false

Who the fuck works there

Obviously people without a brain

>>1259

>>1264

>>1265

Yeah, it is odd because https://www.tumblr.com does work for me, but hydrus.tumblr.com just hangs, no 'we don't have a cert' error or redirection to http. Same thing for another random tumblr I just clicked on. I guess there is some subdomain issue with their certificate? Maybe because people can stick their own css and stuff on their tumblrs, so it opens up to some kind of XSS attack? Or maybe I just clicked some checkbox wrong when I set it up.

I don't know much about this stuff. Hydrus still works on http/1.1, but I'd love to move to something better in the new year without having to mess around with cert authorities and fixed domain requirements and all that. I'll have to put some time aside to researching how p2p networks do it. I presume I'll end up with user-acceptance of certs through a dialog like how Filezilla does it.

>>1269

I had heard that EFF were involved in that, but I forgot the name–thank you for reminding me.

Now, I'll reiterate that I know very little about this, but doesn't regular cert verification require a static web address? Normal https will verify based on DNS domain name, which means it won't work for a p2p network where servers/supernodes only have non-static IPs. i.e. https://[ip address]/muh_request is always invalid.

I assume it means you have to either:

Throw up a clientside dialog, like how FileZilla does with FTP over TLS, that says "Hey this server has this cert, does this sound ok?" and then remember that cert in future.

Have a different verification scheme with a custom hydrus authentication service, where instead of asking about example.com, we say "Hey, authentication server, does [unique server id] have [public certificate id]?"

Say 'screw it' and automatically accept all certs clientside, which I imagine makes you vulnerable to man-in-the-middle attacks or whatever and may well destroy the whole house of cards.

Or something else. (likely using a different protocol)

I am not sure how much you can screw around with the https libraries in python, and indeed if doing so is a terrible idea. If I remember right, some of them don't even do verification, so this whole question might be moot. If I can interact with the library's cert cache, then I can throw up a dialog or write my own verification schema. Still, I suspect https is just something p2p networks shouldn't try, and instead I should be looking at something else, like this:

https://twistedmatrix.com/documents/current/api/twisted.protocols.amp.html

Which I have played with a bit and had small success with. Again, I think I need to put some time aside and read through some other project's source code.