Rambling Thoughts on Security and the IndieWeb

PLEASE NOTE: This post is, in expository terms, a mess.  While I may edit and clean it up later, I am very much thinking out loud and typing ideas before I forget them,


The heartbleed mess got me thinking about security again.  It started with pondering a password manager, particularly whether to go with something third party and web based like LastPass or Install KeePass locally.  From there the scenario moved to “If I use Keepass, where to put the database, and what things to encrypt.”

I installed an S/MIME cert from Start for my primary email on this server. I did this of course just as the entire CA system was being called into question. How’s that for timing?  As I continued to poke and prod, I discovered that no iOS browser checks for certificate revocation.  Ouch.

So back to the web of trust I went.  First there was the question of how to protect a GPG keypair I might create.  I imagine two possibilities.

  1. Having a dedicated CPU (probably a Raspberry Pi) for security operations.
  2. When reading about something else, I came across a reference to Qubes, an OS designed to contain exploits by using appVMs and aggressive sandboxing,

The lead developer of Qubes, Joanna Rutkowska , wrote about her security setup.  I found it an enlightening introduction into the behaviors necessary to improve security.  I might try Qubes if I had a machine to dedicate to the endeavor,

Finally my thoughts turned to various attempts at more secure and/or federated systems

  • Pond – forward secret messaging
  • Trsst – microblogging/RSS feed reading that supports GPG – Now with Alpha Code that runs
  • MailPile – standalone MUA that supports Web of Trust
  • FreedomBox and ArkOS – implemetations of personal plug servers for data storage and service provision

When I compare these to all the “facebook/twitter killers”  that haven’t taken off yet.(Diaspora, Friendica, Tent, Pump) I realize that the projects which are seeming to move forward target individual users, rather than try to focus around federated social networks, This lets adoption happen one user at a time,

I think the killer app for the federated social web is a single app that can aggregate all these protocols into one stream,  Gwibber was headed that direction ( I haven’t used it since it became Friends).  Mike Caulfield argues that this aggregation happens in the notification panels of our smartphones and tablets.  I suppose there is no particular reason the hybrid apps on our devices couldn’t point to local instances of federated services from our basement plug servers.   I’ll have to ponder how that would work.

One thought on “Rambling Thoughts on Security and the IndieWeb

Leave a Reply

Your email address will not be published. Required fields are marked *