Re: [gentoo-user] Internet security.

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 2884 bytes --]

On Monday 09 Sep 2013 02:33:48 Dale wrote:
> Someone found this and sent it to me.
> 
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations
> -020838711--sector.html
> 
> 
> I'm not to concerned about the political aspect of this but do have to
> wonder what this means when we use sites that are supposed to be secure
> and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> are not secure.  Is it reasonable to expect that even connections
> between say me and my bank are not really secure?
> 
> Also, it seems there are people that want to work on fixing this and
> leave out any Government workers.  Given my understanding of this, that
> could be a very wise move.  From that article, I gather that the tools
> used were compromised before it was even finished.  Is there enough
> support, enough geeks and nerds basically, to do this sort of work
> independently?  I suspect there are enough Linux geeks out there to
> handle this and then figure out how to make it work on other OSs.  I use
> the words geek and nerd in a complimentary way.  I consider myself a bit
> of a geek as well.  :-D
> 
> One of many reasons I use Linux is security.  I always felt pretty
> secure but if that article is accurate, then the OS really doesn't
> matter much when just reaching out and grabbing data between two puters
> over the internet.  I may be secure at my keyboard but once it hits the
> modem and leaves, it can be grabbed and read if they want to even when
> using HTTPS.  Right?
> 
> This is not Gentoo specific but as most know, Gentoo is all I use
> anyway.  I don't know of any other place to ask that I subscribe too.  I
> figure I would get a "no comment" out of the Government types.  ROFL
> Plus, there are some folks on here that know a LOT about this sort of
> stuff too.
> 
> Again, I don't want a lot of political stuff on this but more of the
> technical side of, is that article accurate, can it be fixed and can we
> be secure regardless of OS.  It seems to me that when you break HTTPS,
> you got it beat already.
> 
> Am I right on this, wrong or somewhere in the middle?
> 
> Dale
> 
> :-)  :-)

As far as I know the NSA has cracked elliptic curve algorithms and earlier SSL 
versions.  Not that you would suspect this from their peddling of it here :-p

  http://www.nsa.gov/business/programs/elliptic_curve.shtml


Latest TLS v1.2 *should* be OK, but with the advent of quantum computing who 
can tell if science fiction decryption capabilities have become reality for 
state actors.  Looking at this, you can see that loads of websites out there 
are not using strong enough encryption, so even if it worked quantum computing 
may be an overkill for many https implementations today:

  https://www.trustworthyinternet.org/ssl-pulse/

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]