
Tell HN: Riseup.net fails to update canary; fingerprints deleted without notice - orthoganol
After almost a week of direct questioning, canary is still not updated:<p>https:&#x2F;&#x2F;riseup.net&#x2F;pl&#x2F;about-us&#x2F;canary<p>Certificate fingerprints deleted for certain domains on Oct. 22nd without notice:<p>https:&#x2F;&#x2F;github.com&#x2F;riseupnet&#x2F;riseup_help&#x2F;commit&#x2F;8a8c98e0aaa635130a899c1980569f34633d159d<p>Page where fingerprints no longer appear:<p>https:&#x2F;&#x2F;riseup.net&#x2F;pl&#x2F;security&#x2F;network-security&#x2F;certificates
======
tptacek
If you're doing any kind of radical political work --- left or right --- and
are worried about the attention you're going to attract, don't use things like
RISEUP.NET. You shouldn't be running mailing lists at all. You shouldn't be
using Jabber and asking all your peers to enable encryption. These are
fundamentally unsafe services, and the idea that they can be provided safely
just by paying attention to network security is terribly misleading.

In the universe of possible media in which to conduct discussions with a group
of peers, there may be none less safe than SMTP email mailing lists. Keep
secrets off mailing lists. Never use mailing lists for secrets. Assume your
mailing lists are public. Nobody is going to deploy a mailing list security
solution that will ever be adequate against state-level adversaries. Any site
claiming to keep political activists secure that offers mailing lists should
be viewed with suspicion, because "don't use mailing lists" is close to the
only thing that messaging security people agree about.

~~~
Raed667
I remember clearly a Tunisian opposition party was using a RISEUP mailing list
around 2006 to spread its articles, political statements, etc... (When they
were banned before the revolution of 2011).

Not all politicians can/know how to operate anything more complex than an
email account.

~~~
Cyph0n
That's an interesting piece of history. It kind of makes sense that
accessibility can sometimes be worth the potential downsides.

By the way, are you a fellow Tunisian? I'm kind of surprised because I've
never run into a Tunisian on HN :p

~~~
Raed667
Maybe one day I'll release an archive of pre-2011 emails and IRC logs.

Yes I'm Tunisian, I only know of a couple active people around here, but there
is a ton of readers.

~~~
Cyph0n
Wow, so you operated mail and IRC servers for use by dissidents pre-2011? I
would definitely attend a talk about that! A blog post would be amazing too.

I see, that's great to hear. I don't live in Tunisia, so I'm not familiar with
the Tunisian tech scene. Judging by your Twitter feed, it seems to be really
active, which is awesome!

~~~
Raed667
Nothing that impressive, I was just a bystander, I had a bot that logged IRC
conversations on certain rooms and I subscribed to a number of mailing lists.

I just need to find the time to filter that data and publish something.

------
mirimir
And from riseup.net @riseupnet

    
    
        listen to the hummingbird, whose wings you cannot see,
        listen to the hummingbird, don't listen to me. #LeonardCohen
    

[https://twitter.com/riseupnet/status/797142735283257345](https://twitter.com/riseupnet/status/797142735283257345)

~~~
makomk
That was probably just commemorating Leonard Cohen's death, and the
certificate fingerprints were probably just removed because they switched to
Let's Encrypt for those domains. But you never know.

~~~
anigbrowl
What good is a warrant canary if it's also used for whimsy or commercial
speech? If they don't take it seriously enough for people know what it means
then their system isn't worth using to start with.

~~~
acqq
A Twitter feed is not a warrant canary.

Edit: the exact link to the official warrant canary is specified in the top
post, please don't answer if you haven't recognized that much:

[https://riseup.net/pl/about-us/canary](https://riseup.net/pl/about-us/canary)

The "If they're relying on double entendres then it might as well be" as a
response to "A Twitter feed is not a warrant canary" really has no sense.

[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

Also worth reading:

[https://www.schneier.com/blog/archives/2015/03/australia_out...](https://www.schneier.com/blog/archives/2015/03/australia_outla.html)

~~~
anigbrowl
Think about it a while longer.

------
corndoge
October 23:

"If you are doing certificate pinning with us, we are updating certs! so keep
calm and check the new FPs here [https://riseup.net/en/security/network-
security/certificates](https://riseup.net/en/security/network-
security/certificates) …"

[https://twitter.com/riseupnet/status/790245677234282496](https://twitter.com/riseupnet/status/790245677234282496)

Updated fingerprints (PGP signed Oct 22):

[https://riseup.net/security/network-
security/certificates/ri...](https://riseup.net/security/network-
security/certificates/riseup-signed-certificate-fingerprints.txt)

Edit:

See OP below restating that fingerprints for certain subdomains are what is
missing. Should have read more closely ;)

~~~
orthoganol
Yes I linked to the current certs in the post text. The issue is with the
domains that were deleted in the commit (also linked) which no longer appear
in these links.

Black, labs, and a few others have their own certificate that no longer can be
verified with fingerprints, since Oct 22nd.

------
eutropia
I'm uninformed. What is the significance of riseup.net?

~~~
djsumdog
I hadn't heard of it either until just now. I remember when Reddit removed
their warrant canary. I barely even use it now. For most people I bet it
didn't matter. I have a feeling with mission of Riseup, this will have a much
larger impact on their userbase .. the ones who are aware of this.

~~~
shostack
I'll bet they placed bets on how quickly people would stop caring once it left
the front page. That plus their usage of Moat display analytics tags on the
homepage, and pushing for people's email addresses should be a clear telegraph
of where they want to take the site.

I'm also curious about the security of things like RES.

------
module0000
Imagine if your office live-broadcasted _nearly_ everything. From the
corridors, reception area, to the opening of physical mail. The PR and
generally more "public" email addresses could be transparent as well.

This means when the NSL arrives, it will be seen by the world.

~~~
NeutronBoy
> Imagine if your office live-broadcasted nearly everything.

The next step in the fight against ongoing, overbearing surveillance is...
ongoing, overbearing surveillance?

~~~
scrollaway
Transparency, not surveillance.

------
maxt
I am highly skeptical of any claim that an email provider is more private than
other providers. E-mail is fundamentally not secure and not private, unless
you enhance it with PGP, which requires you to, of course, have something you
want private.

Most people don't encrypt because they're not scared enough. It usually takes
some time before their wordlview is repeatedly shattered enough that
encryption is the only choice they have.

~~~
hackuser
The parent statement is very misleading. Here are some significant
differentiators between email providers:

* Encryption in transmission emails sent and received, using SSL/TLS

* Encryption in transmission of webmail sessions, using HTTPS

* Authentication security: Do they use 2 factor or other tech?

* Logging and retention of logs

* Reading your mail to build marketing profiles and social graphs

* Access by employees to your data

* Retaining and sharing your personal data with other businesses

* Security of your account information; can they easily be persuaded to surrender it

* Security of the email provider's systems

* Responsiveness to 3rd party requests for your information, whether private parties in lawsuits or legal authorities with/without warrants

* Cooperation with government surveillance dragnets

Security always is a matter of degree. Email will never be perfectly secure
but there are some big differences between providers.

~~~
maxt
> Authentication security: Do they use 2 factor or other tech?

Sorry for sniping this specific one, but 2FA is (more often than not),
security theater. It gives the illusion of security like how TSA baggage check
is a big dance of scanning, pat-downs, and key ceremonies.

For context, consider Yahoo Mail, where emails are read by intelligence
agencies before the user even gets them. Does my 2FA help here? Probably not.

I can understand that 2FA does have its uses, but frequently I'm seeing it
being used like those 'Secured by Comodo SSL' with a picture of a shield to
make a would-be shopper feel like the transaction is more secure. It can be
theater.

~~~
acdha
That's like arguing that an airbag is safety theater because it doesn't
prevent drowning if you drive off of a bridge.

MFA is used to prevent a third-party who has access to your credentials from
being able to login as you and, in the case of U2F, to prevent a successful
phishing attempt from compromising your account.

MFA offers no, and never has been billed as, protection against a subverted
server or an attacker who can decrypt or tamper with traffic on the wire.

Security is a large, complicated problem. There will never be a single measure
which protects against every threat.

------
llamataboot
New tweet:
[https://twitter.com/riseupnet/status/800815181190217729](https://twitter.com/riseupnet/status/800815181190217729)

Confusing update IMHO. Could be read as reassurance. Could also be read as
being threatened with incarceration and being forced to keep the site up. or a
reminder to archive stuff immediately because of impending shutdown.

Not really sure what to make of it, other than they have obviously heard the
concerns and /not/ updated the canary.

~~~
josho
Not really my area of expertise, but it strikes me as completely clear.

The canary hasn't been updated and the tweet implicitly acknowledges that they
are aware of the concerns that people have about the overdue update. I can
only think of two reasons to do this. 1. get some publicity or 2. for whatever
reason they are unable to update the canary and are unable to say why.
Personally, I doubt it's reason 1.

~~~
llamataboot
But why say they have no plans to shut down and link directly to the part of
their FAQ where they say they will shut down if they are under government
surveillance? Why not just tweet something like "We have heard your concerns"
or something similar

~~~
segmondy
You might not be able to shutdown if you have been forced to keep the service
running.

------
0xCMP
> If you are doing certificate pinning with us, we are updating certs! so keep
> calm and check the new FPs here

[https://twitter.com/riseupnet/status/790245677234282496](https://twitter.com/riseupnet/status/790245677234282496)

------
oconnore
If you care enough to post canaries, shouldn't you also care enough to just
close shop instead of subtly telling your users to stop using your services?

~~~
adrusi
I'd imagine that since lavabit NSLs make that harder if not illegal.

~~~
tammer
its not within legal purview to force someone to _continue_ doing something,
is it?

~~~
cyphar
But they could order them to give them access to administer their servers,
with acts of sabotage being punishable. There's no reason you should assume
that the people running RiseUp right now are the same people that ran it a
week ago.

------
Residue
Looks like issue will be resolved soon:

[https://twitter.com/riseupnet/status/765414528951529472](https://twitter.com/riseupnet/status/765414528951529472)

    
    
        .@flanvel Thanks for noticing. A refreshed canary statement will be up shortly.
    

\----------------------------------

Disregard, I forgot to check date.

\----------------------------------

That tweet is from august

------
dates
Before the most recent update, it was updated April 10th. So 121 days between
updates. At the same rate, it would be updated next around December 21st. But
yeah that is a strange tweet, and lack of tweets since is also strange.

------
jtmarmon
Perhaps I'm doing this wrong but when I try to verify the gpg signature I get

gpg: Signature made Tue Aug 16 01:01:19 2016 EDT using RSA key ID 139A768E

gpg: Good signature from "Riseup Networks <collective@riseup.net>" [unknown]

gpg: aka "Riseup Treasurer <treasurer@riseup.net>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 4E07 9126 8F7C 67EA BE88 F1B0 3043 E2B7 139A 768E

~~~
geofft
Do you have a trust path between you and that key? If not, that message is
normal, but you have no in-band way of knowing whether it's a valid signature
from the right key or a valid signature from a fake key. However, if you have
some trustworthy source that that's the right fingerprint, then you know it's
a valid signature from the right key.

(This is why I hate PGP.)

------
bitxbitxbitcoin
Is it due to be updated by today? Or is it not late until the last quarter of
2016 passes without an update?

------
beardog
I Don't get it. They last updated in august. Wouldn't the next be due in
December?

------
stromthurman
Misleading title. There were no "fingerprints deleted without notice"

------
davimack
I love how this conversation devolved into pedantry, honestly. Worry about the
a/an usage, don't address the root issue, why don't you. Yup: programmers are
grammar nazis.

------
orthoganol
Speaking for myself, this was brought to my attention in the context of a
developing story about WikiLeaks being under duress or Julian Assange missing,
who has not sent direct communication let alone signed communication for
around a month now.

EDIT - if curious,
[https://www.reddit.com/r/WhereIsAssange/](https://www.reddit.com/r/WhereIsAssange/)

~~~
notatoad
it's well known that his internet is cut off. I think if somebody was sending
communications with his signing key while he is known to be unable to
communicate, that would be the real problem.

~~~
orthoganol
He usually sees a lot of visitors, and the organization has access to millions
of dollars, so he certainly has various methods available to him to say "I'm
fine." They can't physically "cut him off" the Internet, but they can demand
that he pause the election-related PR he was doing. They asked him to not
interfere in the election, specifically.

However, the election has been over for some time. Even if they could, I doubt
the Ecuadorian Embassy would forbid him from sending a basic message, picture,
clip to verify he is OK, especially since pressure has been on them for a
while now about his well being.

------
confounded
Is an FOIA request useful?

~~~
jrochkind1
to whom hoping to get what? Probably not. You obviously can't get secret
security letters or sealed warrants via an FOIA.

