Anonymity compromised

Hi there,

Since a few days i’m getting back on joindiaspora.com and evryday i have a popup in chrome that asks me to choose a certificate to be authendticated.

Hopefully, i always refused to choose a certificate, but today i wondered who asked me to be identified.

I opened a new tab and went to that website, which is https://sysad.org/.

This leads me to two questions:

  • Why does a diaspora pod asks me for a certificate when i’m just crawling my timeline ?
  • If i hadn’t’ different certificate on my computer, would it has been sent without asking me to do so ?

I am verry concerned by this problem and wish it be securly solved or this will lead me to delete my account.

What exactly is the text of the warning you are seeing?

If it concerns authorising a certificate (which sounds likely from what you’ve said), this is nothing to do with your personal identity. It is likely to be the Chrome browser (not diaspora*) noting a discrepancy in the authentication certificate provided by sysad.org that’s used to verify an HTTPS connection.

It is probably the Chrome browser asking if you are willing to trust that remote site and therefore to receive content from that domain in your joindiaspora.com stream in spite of the problem with its certificate of validity. This would not touch on your anonymity or personal security at all. The only security it would touch on would be your computer’s security from being infected with malware.

This usually happens because a security certificate has either expired or has become corrupted in some way, both of which would produce an alert from a security-aware browser.

sysad.org is a long-standing pod and can be trusted, if you want to see content from it in your stream. Otherwise you can continue to refuse the authentification, or you can ignore any accounts from sysad that are appearing in your stream, which would stop that content from being provided and therefore stop the warnings.

This is all assuming that the warning relates to an HTTPS security certificate. If you paste the text of the warning here (removing any personal details that might be included), we’ll be able to give more specific advice.

No, it is not that kind of stuff i think. The certificate asked to be used is the one used to connect to the governement website to identifty its citizen. That certificate clearly show my name and forname, national number and all the stuffs that proves that i’m a real person. That certificate was created using my id card and is clearly an official real life stuff.

There is, from my side, not any kind of matter with ssl certificate.

I also was getting user certificate authentication requests when users on my pod would try to load images (maybe all images? maybe some images?) from the sysad.org pod. But I set up camo specifically to prevent my users getting freaked out by it.

I attempted to reach the podmin but was unsuccessful.

And yes, this was a prompt for selecting one of your own certificates to provide for authentication. I assume most users don’t have a personal certificate so would never see that prompt as their browser wouldn’t make cert auth available.

FYI Yves: I only have one cert and Firefox didn’t automatically send it. I’d like to think this is true of most browser.

in my case , it seams that it happens only once a day, may be after i cliced on “show all” and then scroll down to see the posts of my TL.

I dunno if user’s cert auth can be disabled or not, but i’m frightened to validate one by distraction.

And, by the way, this is the first time i see this on a social network. And i spend many time on them.

It’s not really a Diaspora function. I believe this is due to an image in the page that your browser contacts sysad.org in order to download, but their server (not Diaspora) asks you for authentication.

Not much Diaspora can do about that.

But… this is specifically why Camo support was added to Diaspora. Your podmin can set up a Camo server so that your Pod server is the thing that downloads the images from sysad.org, and then it hands them to you. Therefore making sure sysad.org never even sees you or your IP. Information about that is here: https://wiki.diasporafoundation.org/Installation/Camo

It’s a good thing, but as a lambda user i can’t do anything about Camo. And if i understand correctly, it’s not sysad.org which has to do something, but the pod i’m on: joindiaspora.org. Correct ?

Sysad.org has an unnecessary configuration somewhere on their end that is asking for authentication where it isn’t needed. So they should fix the issue on their end.

Buuuut, your pod should also use Camo if it can because it increases your privacy, including for things like this.

BTW I just got a prompt because I typed sysad.org here and the Discourse software tried to load a preview or something of it:

Screenshot_2021-01-28_10-23-43

Yes, that is what i was asked for (except that there are several certificate on my computer and had to choose one from them).

It’s surprising that you’re asked for it just by typing it’s name in a post… Seems to be triggered by an attempt to load a preview (like open graph stuff ) ?

sysad.org is (mis)configured this way for quite some time. Any request to this web server causes certificate authentication prompt. It has nothing to do with Diaspora as this is done on web server level.

Other ways to stop seeing these prompts are to either remove all client certificates from your browser or to block access to sysad.org on your router or PC (with firewall or hosts file). Even if you have contacts from that server nothing should really break.

In this case, it might be intersting to allow users, from diaspora* interface, to block (ban) content from specific pods (like sysad).

In my case, there are several users i follow from that pod, but seeing this problem it could be nice to be able to unfollow them all at once. Thus, blocking the server would do it.

I’ve attempted to make contact with the podmin, or at least the person who was podmin a year ago. I’ve asked them to join in this discussion if possible. I’ll let you know if I hear anything.