Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

" If they stay there without change, that indicates something too."

Usually they stipulate that they are to be updated every X days/weeks/months/whatever. So if you see one that promises to update every Monday, for instance, and it's old, that would be the same as being abandoned.



What is to stop them from lying? They get a warrant, but don't remove the canary. Later on, someone finds proof of the warrant, but then what? You sue Cloudflare for...what? False advertising?


> What is to stop them from lying?

Nothing, at the end of the day, whether giving someone else your data is a good idea or not remains a question of trust.

Do you trust them to stop updating the canary in case they become compromised?

If the answer is no, then you probably shouldn't be giving them valuable data.


Ideally, sure. But even CloudFlare's doesnt indicate any sort of update date that I can see: https://www.cloudflare.com/transparency/


Maybe it's buried in footnotes to that page or in their ToS or something.

In my mind, the "correct" way to do this is to:

1) pgp sign the entire warrant canary statement with a published key.

2) add unfakeable news headlines to the canary itself (such as recent stock prices or sports scores)

3) date the warrant canary and include a well defined schedule of updates

I believe this is the authoritative example:

https://www.rsync.net/resources/notices/canary.txt


Other then the scheduling piece, this seems like the kind of problem a block chain would _actually solve_. I know we're all tired of "The banks/shipping industry/insurance need to use webscale blockchain!!!!"

But a signed message that's publicly audited as authentic and stored non-centrally seems perfect for canaries....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: