From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Fri, 18 Apr 2014 17:45:00 +0100 [thread overview]
Message-ID: <201404181745.01433.michaelkintzios@gmail.com> (raw)
In-Reply-To: <53513640.9060307@gmail.com>
[-- Attachment #1: Type: Text/Plain, Size: 3090 bytes --]
On Friday 18 Apr 2014 15:27:12 Dale wrote:
> Matti Nykyri wrote:
> > On Apr 17, 2014, at 23:17, walt <w41ter@gmail.com> wrote:
> >> On 04/17/2014 11:43 AM, Matti Nykyri wrote:
> >>> I don't know much about the secp521r1 curve or about its security.
> >>> You can list all available curves by:
> >>>
> >>> openssl ecparam -list_curves
> >>
> >> I don't either, but I hope this guy does :)
> >>
> >> http://www.math.columbia.edu/~woit/wordpress/?p=6243
> >
> > Good article :) The overall picture I had about EC is more or less the
> > same as described in the article. But you always have to make a threat
> > analysis and it depends on the private data you are protecting. By
> > definition any private data will be disclosed given enough time and
> > resources.
> >
> > So if your adversary is NSA... Well protecting the communication of
> > regular internet user and your production server with SSL and x509
> > certificates will just not secure the content. I'm 100% certain that NSA
> > has access to at least one CA root certificates private keys. With those
> > they can do a man-in-the-middle attack that the regular user will most
> > likely never spot.
> >
> > I my own security model I'm protected from NSA by the fact that it will
> > disappear in the flow of all other traffic because NSA is not stealing
> > credit card numbers :) ECDSA with ECDHE is fast and secure according to
> > public sources.
> >
> > The problem is totally different if you are protecting the secrets of
> > your company that are within the interest of NSA. I'm lucky I don't have
> > to try that.
>
> On this topic about NSA, I read a article that claimed the NSA was able
> to view httpS traffic live or close to live since they had some backdoor
> access keys. I don't recall where the article was but since this is a
> knowledgeable bunch, is this true? If for example I go to my bank or
> credit card website, can they "easily" view that traffic?
If your bank was using certain versions of openssl over the last two years,
then *any* attacker who knew of the heartbleed bug would have been able to
steal the private key of the server and decrypt all communications with it.
It is rumoured (but could be FUD) NSA are likely to have known of this
vulnerability for at least since November 2013.
> One reason this jumped out at me was that in the article, it was claimed
> that a group of people was going to rewrite the code/software/whatever
> for httpS and other encryption tools.
>
> If someone has links to such info for me to read and pass on to others,
> that would be great too.
HTTPS on its own does not mean much, if it is using insecure (less secure)
algorithms. RC4 and DES are no longer considered secure, but there are
websites and browsers that still use them in preference to more secure
cryptos. Some elliptic curves based algorithms peddled by NIST at the behest
of NSA are now considered suspicious, if not downright compromised by design.
http://safecurves.cr.yp.to/
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2014-04-18 16:45 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 10:52 [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Tanstaafl
2014-04-16 11:14 ` Matti Nykyri
2014-04-16 17:56 ` Tanstaafl
2014-04-17 5:59 ` Matti Nykyri
2014-04-17 6:10 ` Mick
2014-04-17 14:40 ` Matti Nykyri
2014-04-17 15:49 ` Mick
2014-04-17 16:54 ` Joe User
2014-04-17 18:43 ` Matti Nykyri
2014-04-17 20:17 ` [gentoo-user] " walt
2014-04-18 5:50 ` Matti Nykyri
2014-04-18 14:27 ` Dale
2014-04-18 16:45 ` Mick [this message]
2014-04-18 18:08 ` Dale
2014-04-18 19:01 ` Mick
2014-04-18 20:27 ` Dale
2014-04-18 23:33 ` Mick
2014-04-19 15:29 ` Dale
2014-04-19 15:43 ` Matti Nykyri
2014-04-19 19:33 ` Dale
2014-04-19 19:43 ` Joe User
2014-04-19 21:23 ` Dale
2014-04-20 0:18 ` Peter Humphrey
2014-04-20 8:49 ` Mick
2014-04-20 9:21 ` Matti Nykyri
2014-04-20 10:26 ` Mick
2014-04-19 16:11 ` Mick
2014-04-19 18:41 ` Dale
2014-04-20 8:27 ` Mick
2014-04-20 9:10 ` Dale
2014-04-20 12:38 ` Mick
2014-04-20 16:40 ` Matti Nykyri
2014-04-20 17:20 ` Joe User
2014-04-21 6:57 ` Matti Nykyri
2014-04-20 18:36 ` Dale
2014-04-19 11:51 ` [gentoo-user] " Mick
2014-04-19 13:17 ` Joe User
2014-04-19 15:38 ` Matti Nykyri
2014-04-19 16:40 ` Joe User
2014-04-19 17:14 ` Mick
2014-04-20 23:20 ` Mick
2014-04-21 7:11 ` Matti Nykyri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201404181745.01433.michaelkintzios@gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox