Jeff Moss @thedarktangent@defcon.social
Public

To build on what was said below, your whole online existence is essentially three things combined:

1 - Your email account or mail server where you can get password resets.
2 - DNS that protects the mail server from being impersonated.
3 - Your domain WWW server that can publish records that your domain registrar or certificate authority trusts when issuing certificates.

If you lose control of your email account or mail server, people can password reset their way into all of your account unless you have some strong second factor as a security key. If you have a secondary email recovery account that would be vulnerable. It could possibly be used to bypass your second factor.

If you lose control of your DNS server or your registrar account, then people can impersonate your services such as your web server or mail server for account recovery. A DNS attack could completely remove your existing servers and point traffic to malicious ones as well.

Finally if you lose control of you web server then it could be used to publish .well-known files used for identity verification with certificate authorities, spread malicious files, your imagination is the limit.

As you can see DNS and email are critical. Today everybody outsources their DNS and email. Choose how you manage these as if your identity, finances, and company depend on them.

Basically no one controls their own identities. By running your own email or DNS servers the third-party doctrine would not apply to you, and you would get notice that something was going on with law enforcement.

Tommaso Gagliardoni @tomgag@infosec.exchange
Public

@thedarktangentJeff Moss it is becoming increasingly clear how critical this observation is. Considering Zooko's triangle ( en.wikipedia.org/wiki/Zooko%27 ), I am getting more and more convinced that anything that does not rely on a cryptographic identity is a waste of time in the long run. Yes, even Mastodon.

DNS -> Namecoin
Mastodon -> Nostr
Signal -> Jami/Briar/SimpleX/Etc

Yes, I know that many of these alternatives carry a questionable philosophical/cultural background. But, from the technological point of view, they are probably the way to go.

Zooko's triangle - Wikipedia

en.wikipedia.org

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://infosec.exchange/users/tomgag/statuses/115973250588930494 on your instance and quote it. (Note that quoting is not supported in Mastodon.)