391

cyber rule (lemmy.blahaj.zone)

submitted 4 days ago by not_IO@lemmy.blahaj.zone to c/196@lemmy.blahaj.zone

19 comments fedilink hide all child comments

https://chaos.social/@jonty/114936484004005070

top 19 comments

sorted by: hot top controversial new old

[-] SoonaPaana@lemmy.world 83 points 4 days ago

Could someone explain what this means in layman terms?

[-] zea_64@lemmy.blahaj.zone 108 points 4 days ago

Governments could bribe or steal from certificate authorities (CAs) to host a copy of the website while your device still says it's encrypted and secured. Then they can change that key (random looking characters) on the website, which is used for encrypting information so that only the journalists can decrypt what you sent for confidentiality, but if the government changes it to their own key then they can decrypt it and catch you. Having it physically printed means now they'd have to change that too somehow, which is much harder and especially hard to target only to specific people so nobody finds out they were trying to spy.

[-] hildegarde@lemmy.blahaj.zone 23 points 4 days ago

That is not a viable attack. You can verify keys. Modern encryption is robust. A modified key would not be able to decrypt anything encrypted by the publisher. The key would be obviously fake to anyone who tried to verify it. And if the publisher found out about this, they have the means to get the word out they're literally a news organization.

Governments are probably tracking the downloads of keys. That's the much more reasonable threat from keyservers. If they can prove you had access to sensitive information, and downloaded the public key of the journal that published it, they've got you. Printing the key mitigates that risk.

[-] zea_64@lemmy.blahaj.zone 10 points 3 days ago

I'm pretty sure that's a key for encrypting a message to the publisher, not decrypting a message from the publisher, so you can't verify via decryption. However, you can verify the key via the physical print, which is the point of it.

[-] hildegarde@lemmy.blahaj.zone 4 points 3 days ago

Both keys can be used to encrypt files that only the other key can read. When sending encrypted messages you generally encrypt with both the sender's private key, and the recipients public key, so that the recipient can decrypt the document, but they can also know it was sent from who they expect.

You verify the public key by decrypting something encrypted by the private key.

[-] zea_64@lemmy.blahaj.zone 2 points 3 days ago

So the government MitMing you can know it's from you? I don't think that changes anything. There's still nothing stopping a MitM from just changing the key shown at the bottom of the page and then reading whatever you send.

[-] far_university1990@reddthat.com 5 points 3 days ago

Man in the middle:

You <-cert for x sign by ca-> x

You <-cert for x sign by ca (fake, gov control)-> gov.spy <-cert for x sign by ca-> x (optional)

To x look like gov.spy is you, gov.spy like proxy. And gov.spy can try force your device connect to gov.spy instead x (dns poison, isp force ip redirect, ...). Will look like x (domain resolve to gov.spy ip, but cannot know), have valid cert for x, trusted.

[-] hildegarde@lemmy.blahaj.zone 2 points 3 days ago

For that, the government needs to be in the middle of the communication channel. That would take a lot more than just replacing the key on the keyserver.

[-] far_university1990@reddthat.com 4 points 3 days ago

And gov.spy can try force your device connect to gov.spy instead x (dns poison, isp force ip redirect, ...).

Internet rely on dns and ip. CA only relevant for internet communication. Take more, but not much more.

[-] hildegarde@lemmy.blahaj.zone 46 points 4 days ago* (last edited 4 days ago)

Public / Private key pairs are used for securely transmitting encrypted documents. The publication will generate a pair of linked keys, and publish one of them, the public key, while retaining the private key.

If you encrypt a document using the public key from the publication, your document can only be decrypted by the holder of the private key. So any whistleblower wanting to contribute can use that key to make sure no one other than the publication can read their submissions.

The same can be done in reverse. The publisher can use their private key to encrypt a document that only the public key can unlock. Though anyone can decrypt it because the key is public, this verifies the sender because it can only have been sent by the holder of the private key.

Usually they are published to a keyserver, actually printing the key is uncommon.

[-] SoonaPaana@lemmy.world 3 points 3 days ago

Thank you. This was a great explanation. How does one go about encrypting a message using a public key? Also should I use a burner email ID to send the encrypted message to guardian?

[-] hildegarde@lemmy.blahaj.zone 3 points 3 days ago

I've not actually done this in practice. There is software that does that. The thing that will get you caught leaking sensitive information is when you have revealed something somewhere. If this newspaper publishes sensitive information you have access to, someone will see that your lemmy account was specifically asking about sending to that specific publisher.

Most journalists know how to protect sources. Some don't. Make sure you vet whoever you are communicating with.

[-] anton@lemmy.blahaj.zone 1 points 3 days ago

How does one go about encrypting a message using a public key?

Find the place in your trusted email programms settings to add the recipients public key and select it when sending the mail.
If you want to be able to answer their questions you or identify yourself in follow up emails, you should also generate your own key.

Also should I use a burner email ID to send the encrypted message to guardian?

Anyone spying on you will only be able to see that you contacted the guardian but not what you told them. Having a burner would mean someone sees you contacting the burner service and than the newspaper. That said you should probably make a new email for it but I don't know what exactly you understand as a burner email.

[-] Anissem@lemmy.ml 5 points 4 days ago

My guess is some sort of secure, anonymous way to send material to the newspaper? I’m also very curious

[-] Impound4017@sh.itjust.works 44 points 4 days ago

I would argue cypherpunk more than cyberpunk

[-] josefo@leminal.space 3 points 3 days ago

This guy cyphers

[-] pineapplelover@lemmy.dbzer0.com 10 points 3 days ago

I've always been a fan of the Guardian ever since I found out about the Snowden files

[-] Midnitte@beehaw.org 6 points 3 days ago

...ehh.. they're usually better than their peers. Usually.

[-] bacon_pdp@lemmy.world 10 points 4 days ago

The crypto community has been doing this since the 1980s

Check out the Sunday New York Times

this post was submitted on 29 Jul 2025

391 points (100.0% liked)

196

18144 readers

2013 users here now

Be sure to follow the rule before you head out.

Rule: You must post before you leave.

Other rules

Behavior rules:

No bigotry (transphobia, racism, etc…)
No genocide denial
No support for authoritarian behaviour (incl. Tankies)
No namecalling
Accounts from lemmygrad.ml, threads.net, or hexbear.net are held to higher standards
Other things seen as cleary bad

Posting rules:

No AI generated content (DALL-E etc…)
No advertisements
No gore / violence
Mutual aid posts are not allowed

NSFW: NSFW content is permitted but it must be tagged and have content warnings. Anything that doesn't adhere to this will be removed. Content warnings should be added like: [penis], [explicit description of sex]. Non-sexualized breasts of any gender are not considered inappropriate and therefore do not need to be blurred/tagged.

If you have any questions, feel free to contact us on our matrix channel or email.

Other 196's:

founded 2 years ago

MODERATORS

moss@lemmy.blahaj.zone

greembow@lemmy.blahaj.zone

moss@lemmy.world

queue@beehaw.org

funky_rodent@lemmy.blahaj.zone

PeachyMcPeachface@lemmy.blahaj.zone

threegnomes@lemmy.blahaj.zone

greembow@lemmy.world