From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 774CE138A1F for ; Fri, 18 Apr 2014 16:45:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EDC0EE0AD0; Fri, 18 Apr 2014 16:45:20 +0000 (UTC) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BBF68E0A9D for ; Fri, 18 Apr 2014 16:45:19 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id l18so676762wgh.31 for ; Fri, 18 Apr 2014 09:45:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=on/WDtTJEBHvQGeZjzDCJELxouFnVaMuG54mpuhALvA=; b=VbrrSKWGDMW/UG6dNZSZWklYMhctXwPCEIKDRJ8RwUZEXQZgBoRn94Wh4CQFwhMbX4 njmDxyNgiWaTFxhuB5M8V170rV+zd2qOC1bYfhYlYXlIV2F3gOBpqFXc7r0sgKvBX1jY 5gr0ujI+4yxzuWKo/fJJtNZOb3Q/m3C+8cgBgphd3eR8CWfxCAO/5pXdqfxy/+R999OR etZe82cITE5Ml4TP47Wg+ZLDaWlLVQsl5r0XC3VLfBnZ6sHhTxS3nO0Rxb7KQwNIpiBO DJgNnk3TdJu/Uyzo+Upc83Yx14ooo2RsHuIqgKB4uuTtWfoQQgLCMIZyNV+Jf5zyc4tg np9A== X-Received: by 10.180.188.70 with SMTP id fy6mr3075708wic.2.1397839518489; Fri, 18 Apr 2014 09:45:18 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id jd2sm4223947wic.9.2014.04.18.09.45.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Apr 2014 09:45:17 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones Date: Fri, 18 Apr 2014 17:45:00 +0100 User-Agent: KMail/1.13.7 (Linux/3.12.13-gentoo; KDE/4.11.5; x86_64; ; ) References: <201404171649.57228.michaelkintzios@gmail.com> <53513640.9060307@gmail.com> In-Reply-To: <53513640.9060307@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1793286.OWWInmDNrA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201404181745.01433.michaelkintzios@gmail.com> X-Archives-Salt: 4611e461-b5ec-4996-ab52-bd387985e798 X-Archives-Hash: 00fc7d2ff046b95f8e457f96495dee98 --nextPart1793286.OWWInmDNrA Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Friday 18 Apr 2014 15:27:12 Dale wrote: > Matti Nykyri wrote: > > On Apr 17, 2014, at 23:17, walt wrote: > >> On 04/17/2014 11:43 AM, Matti Nykyri wrote: > >>> I don't know much about the secp521r1 curve or about its security. > >>> You can list all available curves by: > >>>=20 > >>> openssl ecparam -list_curves > >>=20 > >> I don't either, but I hope this guy does :) > >>=20 > >> http://www.math.columbia.edu/~woit/wordpress/?p=3D6243 > >=20 > > Good article :) The overall picture I had about EC is more or less the > > same as described in the article. But you always have to make a threat > > analysis and it depends on the private data you are protecting. By > > definition any private data will be disclosed given enough time and > > resources. > >=20 > > So if your adversary is NSA... Well protecting the communication of > > regular internet user and your production server with SSL and x509 > > certificates will just not secure the content. I'm 100% certain that NSA > > has access to at least one CA root certificates private keys. With those > > they can do a man-in-the-middle attack that the regular user will most > > likely never spot. > >=20 > > I my own security model I'm protected from NSA by the fact that it will > > disappear in the flow of all other traffic because NSA is not stealing > > credit card numbers :) ECDSA with ECDHE is fast and secure according to > > public sources. > >=20 > > The problem is totally different if you are protecting the secrets of > > your company that are within the interest of NSA. I'm lucky I don't have > > to try that. >=20 > On this topic about NSA, I read a article that claimed the NSA was able > to view httpS traffic live or close to live since they had some backdoor > access keys. I don't recall where the article was but since this is a > knowledgeable bunch, is this true? If for example I go to my bank or > credit card website, can they "easily" view that traffic? If your bank was using certain versions of openssl over the last two years,= =20 then *any* attacker who knew of the heartbleed bug would have been able to= =20 steal the private key of the server and decrypt all communications with it.= =20 It is rumoured (but could be FUD) NSA are likely to have known of this=20 vulnerability for at least since November 2013. > One reason this jumped out at me was that in the article, it was claimed > that a group of people was going to rewrite the code/software/whatever > for httpS and other encryption tools. >=20 > If someone has links to such info for me to read and pass on to others, > that would be great too. HTTPS on its own does not mean much, if it is using insecure (less secure)= =20 algorithms. RC4 and DES are no longer considered secure, but there are=20 websites and browsers that still use them in preference to more secure=20 cryptos. Some elliptic curves based algorithms peddled by NIST at the behe= st=20 of NSA are now considered suspicious, if not downright compromised by desig= n. http://safecurves.cr.yp.to/ =2D-=20 Regards, Mick --nextPart1793286.OWWInmDNrA Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJTUVaNAAoJELAdA+zwE4YewpcH/itQSeSWM2pMG8KolKt9TLCy 7GLjkPo2s5WSLdFUZidxoo79fX/KrBw9Vios955KReuOPRKUr/L+y+/85Z/7UbiT pcf6ki67Dx/JFOUPizGXKq2IWpWrh0Uy3GHAKzS9rLiHROdBl+htyBB9Cq4+xXRv bx1H8BrORNbMorIwQGvoMone+FJCd6Us4Z/OoahBahEc8DllPEMiFl2FTO+CETul 749ZXCp3/xIEI9RdYayhHBcHM9a1G1nGUkIWebRjW42LEIIyf+ojECeSDto0dQg2 uY1edhjryBKSz4Hi/5rsbs7lRsxp5rc2RDIF9RFiE4QSgzDXUoDpBvvmMbXfxdA= =XWfC -----END PGP SIGNATURE----- --nextPart1793286.OWWInmDNrA--