It’s been mandatory since 2018. Browsers will reject certificates which have not been publicly logged.
Perhaps next you’ll wonder if it’s as simple as compromising a CA and a CT log? Nope, as browsers require cryptographic attestations from multiple CT logs. If you’re using Chrome, one of those logs has to be the one operated by Google.
By choosing to only have an EC card you’re making a deliberate choice to make your life difficult by using an incredibly obscure method of payment, no?
You can hardly expect those to work even in other EU countries, much less with an US based online business.
Almost everybody else in the world has a visa or a mastercard (or unionpay)
I don’t get it. How are my friends morally bankrupt for selling NFTs to people like Will Smith or Dubai royalty? Same people who are buying their art to hang on their walls.
It’s not like NFTs brought them a whole new audience, it’s just that their existing audience wanted NFTs.
You might think NFTs are worthless, but the exact same argument goes for easily reproduced physical works of art.
>IMO if you encounter any non-technical artist "excited" about NFTs, tell them to stay the hell away, or risk being seen a bad friend.
Fuck that, despite me being incredibly skeptical of NFTs I’m perfectly willing to acknowledge the fact that some of my non-technical artist friends have earned 6-7 figure amounts selling NFTs.
I think the “planet-killing scam” is very HN-sphere thinking. Most people have no idea. Most non-technical artists I interact with seem very excited about NFTs, often asking me to help them create their own (unfortunately I’m not interested).
And what about when ETH2 goes live in some months and the main NFT chain moves to proof-of-stake? The “planet-killing” problem is already solved, that tech is going live this year. Seems like a fairly fragile criticism.
I agree about securedrop, but the blog post seems to discuss “platforms such as Facebook, the BBC or NYT”.
Also in the case of securedrop it might make sense to have that separate from the rest of your infrastructure, so the “hidden” part of “hidden services” suddenly becomes useful.
> This is counterbalanced by higher phishing risks
I would argue that this is the much bigger footgun for users. Just look at how much money darknet users are losing to the big industry of .onion phishing pages.
> you are guaranteed to be connected to what you expect — or not at all.
Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
Most of the technical points listed here are pretty much entirely mitigated by TLS. Exit nodes can of course deny access to specific sites, but hidden services suffer from comparable (or worse) issues.
There are no other practical attacks that malicious exit nodes could execute against sites using TLS and HSTS preload lists. If you’re a website administrator, fixing those things should be your priority before implementing onion addresses.
Onion addresses also come with slight drawbacks. They’re difficult for users and more vulnerable to phishing. Hidden services are also extremely vulnerable to CPU-based DoS attacks.
Perhaps next you’ll wonder if it’s as simple as compromising a CA and a CT log? Nope, as browsers require cryptographic attestations from multiple CT logs. If you’re using Chrome, one of those logs has to be the one operated by Google.
Also such collusion will soon be defeated by SCT auditing https://www.hardenize.com/blog/certificate-transparency-sct-...
https://docs.google.com/document/d/16G-Q7iN3kB46GSW5b-sfH5MO...