I hate the Internet and the people who own it

[reptile baht spaniard rid]

I just tried it, it still doesn't remember to ask me for the TOTP.

I'm hoping I was just stupid enough to tell KF to remember my device, but I can't find how to tell it to unregister my device so I get asked every time again.

Welp, I did make my password longer around when I added the TOTP. Hopefully that will suffice.

Baleet all your cookies for the farms and then access again, it should force you to login and ask for TOTP.

 

[Fomo Hoire]

Baleet all your cookies for the farms and then access again, it should force you to login and ask for TOTP.

Thank you.

I made sure to not be a tard and unchecked the 30 day box this time.

 

[glad vlad]

Telegram has restricted the Kiwi Farms announcement channel, likely due to complaint volume. It can be bypassed by this (very slow) website, but I hope to reverse the decision.

Unbelievable. On telegram, I can follow actual white nationalists and people who fedpost for real, no problem. But you make a couple of jokes about autistic sex pests and it’s all over.

This whole process has really opened my eyes to how controlled and propagandistic the modern internet is.

 

[CwMkCW]

...Josh saved our home...

Thankyou Joshua Conner Moon

 

[SenutiSolidus]

Unbelievable. On telegram, I can follow actual white nationalists and people who fedpost for real, no problem. But you make a couple of jokes about autistic sex pests and it’s all over.

This whole process has really opened my eyes to how controlled and propagandistic the modern internet is.

It's not even about that, probably. It's literally "this is getting really annoying with how many reports we're getitng, and we're not fully based so just shut it down to get them to shut up"

 

[Wasbenzine]

@Null Sorry to tag you to complain, but I noticed that the HTTPS certificate for Kiwifarms is provided by Let's Encrypt, a US based company. This is bad for two reasons: they might deplatform you by revoking your certificate, and the NSA glowniggers can probably decrypt Kiwifarms traffic.

I know this is probably very close to the bottom of your to-do list, but I think you should release some of your shekels for a HTTPS certificate with a more trustworthy root CA. Buypass might be the best choice, they're based in Norway and provide both paid and free certs - but to get a free certificate you need to set up certbot to work with them. However their entire certificate chain (including the root CA) is Norwegian so FVEY glowies probably can't decrypt Kiwifarms traffic.

I had a quick look and it seems like almost all of the other HTTPS certificate providers/authorities have a sneaky US based cert somewhere up the chain of trust: ZeroSSL, DigiCert, Sectigo (US/UK), GoDaddy, Cloudflare.

 

[Null]

Uhhhhhhhh what


1. Feds have backbones tapped
2. Everything is public on the site they don't need to
3. I hope they drop us because then I can put them on blast

 

[Ultrapenguin]

Bad news: Telewebgram appears to be down universally, so viewing the KF telegram page isn't working. Therefore I cannot tell if there is any further elaboration on the feds spying on the site (is that even really spying? It's more like just regular browsing with extra steps).

Good(?) news: I thought google de-indexed kiwifarms.net, but when I search "telewebgram" on google in a private browser this is the 7th result:

Google must be actively indexing the site if it's returning a Q&A thread from yesterday, right? I'm not getting cow threads on the first page anymore, but it's usually there by the 2nd and if you search "[name] kiwi farms" it comes up as the first result.

It's not unlikely that I'm just confused.

 

[Adamska]

I'm on the clearnet again. Cope and seethe as your eyes completely fail Liz.

 

[Archeops]

It’s nice to be back on the clearnet and I hope it lasts for a good long while.

Uhhhhhhhh what


1. Feds have backbones tapped
2. Everything is public on the site they don't need to
3. I hope they drop us because then I can put them on blast

And my optimism has waned somewhat due to the alphabet corps getting involved despite Dong Long Gone doing shit that’s much more legally heinous just to get the site offline.

But as it’s been said before the alphabet corps will turn a blind eye to cybercrime if it’s done by the “right” people and done to the “right” targets.

 

[General Disarray]

Not even 24 hours and I'm on my Kindle, now I can shitpost when I'm insomniac at 2am.

eta: insomnia came - foiled again by blocker Also use while in my office at work; please fix thanks in advance

 

[hundredpercent]

they might deplatform you by revoking your certificate, and the NSA glowniggers can probably decrypt Kiwifarms traffic.

I know this is probably very close to the bottom of your to-do list, but I think you should release some of your shekels for a HTTPS certificate with a more trustworthy root CA. Buypass might be the best choice, they're based in Norway and provide both paid and free certs - but to get a free certificate you need to set up certbot to work with them. However their entire certificate chain (including the root CA) is Norwegian so FVEY glowies probably can't decrypt Kiwifarms traffic.

I had a quick look and it seems like almost all of the other HTTPS certificate providers/authorities have a sneaky US based cert somewhere up the chain of trust: ZeroSSL, DigiCert, Sectigo (US/UK), GoDaddy, Cloudflare.

This is dumb.

1. No cert has ever been revoked by ISRG except for US federal sanctions violations
2. ISRG explicitly stopped their policy of rescinding certificates to literal spam websites because it was too much work
3. Just because there is a US certificate somewhere in the chain of trust, this does not give the US authorities access to your private key, which is generated locally.
4. Even if the private key were totally public, SSL has perfect forward security, so there is no possibility to passively eavesdrop, only by actively MITM'ing the connection.
5. Issuing a false leaf certificate is logged by Certificate Transparency and has only been done for a few select targets; it would immediately burn the issuing CA.
6. Issuing an entire false trust hierarchy is even more reckless for the same reason.
7. Regardless of points 4-6, the U.S. federal authorities could just issue a fake certificate using any trusted key. There is no need to use a certificate issued by the same authority, so using a foreign CA gains you nothing.
8. This alleged problem could be fixed (on the server side) way easier by just pinning the certificate with HPKP.
9. If you are really autistically worried about this, use Tor with the onion, which does not rely on any third party signatories.

 

[Dog-O-Tron 5000v5.0]

Uhhhhhhhh what


1. Feds have backbones tapped
2. Everything is public on the site they don't need to
3. I hope they drop us because then I can put them on blast

LOL at the new Josh: when a threat of deplatforming comes, "Good, let them. I welcome pain and will glory in the fight."


Just think, the site is back up and on full power just in time for livesneeding over the US Midterms tomorrow. Shit is gon be lit!

 

[HTTP Error 404]

I'm getting 403 errors when I try and do clearnet. TOR is fine tho.

Wondering if Telegram limited the channel cause of the phone number. Might have triggered some trust and safety thing.

 

[Wasbenzine]

This is dumb.

1. No cert has ever been revoked by ISRG except for US federal sanctions violations
2. ISRG explicitly stopped their policy of rescinding certificates to literal spam websites because it was too much work
3. Just because there is a US certificate somewhere in the chain of trust, this does not give the US authorities access to your private key, which is generated locally.
4. Even if the private key were totally public, SSL has perfect forward security, so there is no possibility to passively eavesdrop, only by actively MITM'ing the connection.
5. Issuing a false leaf certificate is logged by Certificate Transparency and has only been done for a few select targets; it would immediately burn the issuing CA.
6. Issuing an entire false trust hierarchy is even more reckless for the same reason.
7. Regardless of points 4-6, the U.S. federal authorities could just issue a fake certificate using any trusted key. There is no need to use a certificate issued by the same authority, so using a foreign CA gains you nothing.
8. This alleged problem could be fixed (on the server side) way easier by just pinning the certificate with HPKP.
9. If you are really autistically worried about this, use Tor with the onion, which does not rely on any third party signatories.

Spoiler

Point 1 & 2: KF was chased out of the US, two US T1 transit providers refused service, Cloudflare along with a handful of American hosters have refused service and social media have all deplatformed Kiwifarms. A special case being made for KF is not an unlikely scenario if enough trannies spam their help/abuse emails (or trannies work at Let's Encrypt). You also admitted that the parent organisation of Let's Encrypt, ISRG, has revoked certificates in the past and you're assuming that they will never do it again. I think they could make an exception, especially for an evil nazi forum with over 9001 confirmed tranny suicides.
Point 3: I mistakenly assumed that the private key was used by CAs for key signing, but it is in fact the public key. Forgive me for that, that was really wrong. The issue does still stand however if you download your private and public keys from your CA, since they generated it for you, they can just save it. I have noticed free SSL (ZeroSSL, Cloudflare) certificate providers doing this, hence why I said that. However it is true that if you generate your own private key, then derive and sign your public key, your CA can't use their private key to decrypt your traffic.
Point 4: Perfect forward secrecy can be achieved in cipher suites where there is a DH key exchange, so TLS 1.3 which KF supports is fine. This is only an issue for weak cipher suites in TLS 1.2 (which should be disabled) - so for people with old devices or web browsers.
Points 5 & 6: I agree, although false trust hierarchies have been issued in the past.
Point 7: This is not technically true since if your domain has a CAA record that forces a certain authority to be used, the feds can't just issue a fake cert using any key. They would need to issue another one from the CAA defined in your DNS, which even if they successfully did would most likely be noticed (or not issued in the first place), revoked and rendered useless as OCSP cert validity being checked.
Point 8: HTTP key pinning is deprecated and removed in all modern browsers.

In summary, Let's Encrypt HTTPS certificates are fine. My assumption about private keys being used for key signing was wrong. Could still be deplatformed, though unlikely.

 

[ZazietheBeast]

It’s nice to be back on the clearnet and I hope it lasts for a good long while.

And my optimism has waned somewhat due to the alphabet corps getting involved despite Dong Long Gone doing shit that’s much more legally heinous just to get the site offline.

But as it’s been said before the alphabet corps will turn a blind eye to cybercrime if it’s done by the “right” people and done to the “right” targets.

This more or less confirms that the whole play to get the farms offline is a glow-op. It has their play written all over it.
1. Find a group who hates something they want out.
2. Give that group the means to carry it out.
3. Assist that group in the background.
4. Enjoy the show.

TL;DR: Terry is right about the glow-in-the dark CIA Niggers.

 

[BlerdBjern]

SNEED AT LAST, SNEED AT LAST! LORD ALMIGHT I CAN SNEED AT LAST!

LET SNEEDDOM RING!

 

[hundredpercent]

This more or less confirms that the whole play to get the farms offline is a glow-op. It has their play written all over it.
1. Find a group who hates something they want out.
2. Give that group the means to carry it out.
3. Assist that group in the background.
4. Enjoy the show.

TL;DR: Terry is right about the glow-in-the dark CIA Niggers.

Why would the CIA need to help a tranny write an email?

Are you suggesting that, were it not for the CIA, Dong Long-Gone wouldn't be able to send complaints?

Are you suggesting that the CIA is powerless to cause HE to mark AS397702 (1776 sol) as DROP?

 

[Flaming Dumpster]

The issue does still stand however if you download your private and public keys from your CA, since they generated it for you, they can just save it. I have noticed free SSL (ZeroSSL, Cloudflare) certificate providers doing this, hence why I said that.

Your private key is never sent to a CA, only a certificate signing request. Here's a good diagram explaining the process the ACME protocol uses (from this pdf)

Point 7: This is not technically true since if your domain has a CAA record that forces a certain authority to be used, the feds can't just issue a fake cert using any key.

CAA records are just validated by CAs in the usual course of business when issuing a certificate so that somebody can't trick a moron into accidentally issuing a valid certificate for kiwifarms.net when they're not actually the owner. It doesn't actually prevent a rogue element from issuing a certificate for kiwifarms.net nor prevent clients from accessing the site using the bad certificate.

 

[reptile baht spaniard rid]

This is dumb.

1. No cert has ever been revoked by ISRG except for US federal sanctions violations
2. ISRG explicitly stopped their policy of rescinding certificates to literal spam websites because it was too much work
3. Just because there is a US certificate somewhere in the chain of trust, this does not give the US authorities access to your private key, which is generated locally.
4. Even if the private key were totally public, SSL has perfect forward security, so there is no possibility to passively eavesdrop, only by actively MITM'ing the connection.
5. Issuing a false leaf certificate is logged by Certificate Transparency and has only been done for a few select targets; it would immediately burn the issuing CA.
6. Issuing an entire false trust hierarchy is even more reckless for the same reason.
7. Regardless of points 4-6, the U.S. federal authorities could just issue a fake certificate using any trusted key. There is no need to use a certificate issued by the same authority, so using a foreign CA gains you nothing.
8. This alleged problem could be fixed (on the server side) way easier by just pinning the certificate with HPKP.
9. If you are really autistically worried about this, use Tor with the onion, which does not rely on any third party signatories.

So you're saying it's literally the next way the troons will break the internet at a fundamental and core level, gotcha.

Your private key is never sent to a CA, only a certificate signing request.

For Let's Encrypt and those doing it right, yes, but many MANY people just let the CA create all the keys "in the browser" and cut and paste them into the appropriate files.

HTTPS/SSL is a godsend, but man do people not give a flying fuck about the certificate chain.