Reason for not publishing list

well their IPs are something different than the blacklist.
the IPs are something LE cannot easily change to something desired and a whitehat cannot really do anything anbout it. but for the blacklists a whitehat cna point out those gaps and help LE fix those.

Providing everyone the data I use for my public / private key doesn't though.

but then again most implementations on how people generate their keys are open source
the exact generation data for your key is secret and random becausethat is what is used to encrypt but the algorhythms are mostly open source. who would have thought about the debian weak keys issue.
before we get to the source vs list issue: the list is essentially an "algorhythm" to determine what domains are okay and what are not, so I think it would count here as a thing that should be public, again as I said as this allows whitehats to fill gaps. but what could also be done would be instead of a full list of each and every alteration that a user could enter their name and get the fitting entry so that for example that windowsupdatewhateversomething gets shown that it has association to windows and therefore is blocked.

@josh what is that SDN thing? when I just did a quick serach on "SDN" I mostly found software defined networking. is that such a bad thing it needs to be banned

Exactly as been done here. The "algorithm" or methodology has been stated .....

The pure data hasn't.

Specially Designated Nationals List (SDN) - Specially Designated Nationals And Blocked Persons List (SDN) Human Readable Lists | Office of Foreign Assets Control

Transparency [total transparency, and absolute transparency] was achieved when stating such a list exists, and when further disclosing information about ways in which that list is populated.

One does not need to divulge the specifics of internal security processes in order to be fully transparent – especially when the act of doing so would likely undermine their efficacy. Additionally, as others stated the lists may contain data assembled by other groups which may be covered by various contracts and non-disclosure agreements.

1 Like

If the Babel Fish disproves the existence of God, why not?

What are the chances a tech site would have people capable of quoting HHGTTG?!?!

(At least I refrained from farting in his general direction :wink: )

I'd think the probability approaches unity, but I guess that assumes older geeks...

1 Like

Everyone STOP being insulting. Even if you are mad at someone, that doesn’t justify insults at all.

1 Like

eh no. as I said already there are 2 lists. one is that Google thing and the other one is the list LE maintains

well I dont think exactly. if it would be a static list. a lot of stuff would be able go through way too easily. I believe there are probably some regexes in there and this is an algo no matter how you slice it.

high horse? I was just using linux as an example of open source software being able to be more secure than closed source software. I am not a linux fanboy in fact I use windows for most of my stuff (except win server because these things are so expensive for an individual and wont work on a raspi anyway)

I dont know much about how the servers look but at least concerning malware I guess there is a reason why I have never seen an antivirus for linux, probably because there is very few of that.

also who said that some of those things cannot be averted more or less easily or resulted partially from bad configurations.
for example shellshock only works when the attacker has access to the shell, so well have fun with that.

also on an open source software mistakes can be found more easily by whitehats and blackhats will find it anyway sooner or later. I mean look at flash or internet explorer

@DarkSteve I didnt say linux IS more secure but it CAN be more secure due to the fact that it’s open source and whitehats can help making it more secure.

also closed source software can easily become unsupported or get a certain important update really late. in case of open source software, everyone could provide a patch and in case of software that literally runs as source (like php web software) people can quickly incorperate the change without the need com compiling and stuff.

on closed source software there’s a lot less prople who can look at the source and see different kinds of issues, vulnerabilities and other things.

also in closed source software backdooring isnt really hard while with open source software the next person just can say no and kick that backdoor out again if somebody would try to add one.

also windows server costs more than a THOUSAND dollars (plus tax). if it woouldnt be more secure than a windows desktop they would get probably really bad PR.

This is probably not the best thread to discuss the security benefits of open vs. closed source or Windows vs. Linux. I encourage everyone to stick to the original topic of this thread and remember to keep the discussion civilized.

@pfg I would love to read the link, but well, I dont seem to have permission for that.

also open vs closed is actuially part of the disclose vs not disclose the list (at least in my opinion) because it is essentially the same base principle.

I suspect the link should be https://community.letsencrypt.org/guidelines#agreeable and https://community.letsencrypt.org/guidelines#be-civil

This is about data, not software. That's like saying you're running open source software, so you need to make a db dump available to the public.

One can argue that this list should be public (though I see no value), but it's not the same thing as open source vs. closed source software.

1 Like

well especially on changes it may explain what’s going on.

and well I see the value that if the community sees holes that they can be reported and fixed quickly.
this will get especially nice when you start doing IDNs.

but if that’s not a choice, if you blacklist a name, add a comment on why it is blacklisted so espeically on changes users know immediately why they are blacklisted.

Trying to separate out the "data" part from the "algorithm / code" part. I'd say;

There is an "algorithm / code" for how the list is produced. There can be an argument for that to be more openly defined as to it's origins.

The "data" is the list itself. It has no algorithm or anything in it, it is purely a data list.

How the "data" is used, is part of the "algorithm / code"

So from my perspective, comments like

Is part of the code, and a valid point to provide better feedback to a user ( which could be anything from a detailed reason, to please email us at ...... to discuss why this domain was blacklisted and potentially get it removed"

The original post was "Reasons for not publishing the list", which to my mind is the data though, and not all the other discussions about how that data is either generated, or used. Those discussions are probably perfectly valid, however as @pfg says is slightly off topic for this specific thread, since the topic is about the "data" not the "software / algorithm / code"

So if the list contain less than 200 entries. This would mean less than 1/5 of alexas top 1k.
Google represent at 2013 on the list 68 entries. And if we look how many people complain
in the forum about an legal owned domain that is blocked i think the list is to strict.

Lets look from the other side:

  1. LE is public available.
  2. Anyone can check if you have an LE certificate.
  3. If you where asked why you do not have one and say: "I can't i am blacklisted"
    I would say this is an negative rating for your service.

On the other hand we can start an topic to build the list. We already have some of the wildcard names.
And some names from the blocked topic lists.

The way the above has been quoted it makes it look as if I'm an official part of Let's Encrypt and I'm talking about "Our security officers". Can I just point out I have no connection to Let's Encrypt other than a user of their services the same as most people here. The original quote ( if you go back up the thread) is;

Personally I think that's more appropriate that continuing the topic here, if people want to discuss that - as this topic is about "Reasons for not publishing list"

Some ideas about how to “publish” this list:

  1. Publish hashed entries (with a strong hash algorithm and salts), so that you can only check whether a site is blacklisted if you already know the domain name.
    Pros: List can be saved/archived by third-parties so it can also be checked later.
    Cons: If someone has enough processing power they can brute-force the list.

  2. Make a website where you can enter the domain and get a result whether it is blacklisted.
    Pros: No brute-force possible, but users can still check whether domains are blacklisted; rate-limiting can be used to protect against mass-querying
    Cons: Only realtime checks are possible

@rugk the idee about publishing the hashed values need to have the information if it is an “wildcard” domain
or if it is an Qualified Postfix. And the second problem is other than password where you have to scan for 8 alphanumerical passwords around 60^8 > 10^14 combinations. On the blacklist you “only” need to scan valid and used domain names that should be much less than 10^10. Since must of of the hashes came from alexa top 1000.
It is even less than 10^3. So even an website with rate limit have no better effect.
So if unhashed or not is in this case no big difference.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.