From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 74287138A1F for ; Fri, 18 Apr 2014 14:27:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 61D90E0A9D; Fri, 18 Apr 2014 14:27:15 +0000 (UTC) Received: from mail-yk0-f173.google.com (mail-yk0-f173.google.com [209.85.160.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 63597E0A7C for ; Fri, 18 Apr 2014 14:27:14 +0000 (UTC) Received: by mail-yk0-f173.google.com with SMTP id 10so1439061ykt.32 for ; Fri, 18 Apr 2014 07:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=lFQkMGm9t/ZZmRVuWE0ikuaKR/+WxWcbrraqmtvjBqw=; b=IMG17uG2exipgfzI2M8ye4+AMIKjMHdDwxGvzp8NfV6fzu/e53XtR5usgHwsG0emBb qqzYwcHCBYory2/0rXMlF14ILaVeoRvCkkmImJyQXeLXxQ5h6Rl/mL/bSuNMwowAxm8m dhrbSROJM5j4UwJw6n/bU4pgJ6m+1lZTTAnoSlga/Fv18Vv7W4+HErA8yRgBW4xE4qaI 8bWavcxuEe9zcwRkDaxr7kxfDsME2HhlQHRiysTqmc3ADOfISUKcqi5osOmMsFaogvct ysvT8x/QcqlUuYWq8HoeS2gKnVC9izAYSkxsKkffUHGzcgywpMheTYg9NWXvPXrtLyDo sS8g== X-Received: by 10.236.206.166 with SMTP id l26mr1524925yho.105.1397831233408; Fri, 18 Apr 2014 07:27:13 -0700 (PDT) Received: from [192.168.2.5] (adsl-98-95-150-165.jan.bellsouth.net. [98.95.150.165]) by mx.google.com with ESMTPSA id t42sm53905257yhn.12.2014.04.18.07.27.12 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Apr 2014 07:27:12 -0700 (PDT) Message-ID: <53513640.9060307@gmail.com> Date: Fri, 18 Apr 2014 09:27:12 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones References: <201404171649.57228.michaelkintzios@gmail.com> <20140417184325.GA22082@lyseo.edu.ouka.fi> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 9ef3226c-57ef-4b7f-b591-c9edcce23b50 X-Archives-Hash: 451f9cbbdfc9e0ea469a6157bed2b7cc Matti Nykyri wrote: > On Apr 17, 2014, at 23:17, walt wrote: > >> On 04/17/2014 11:43 AM, Matti Nykyri wrote: >>> I don't know much about the secp521r1 curve or about its security. >>> You can list all available curves by: >>> >>> openssl ecparam -list_curves >> I don't either, but I hope this guy does :) >> >> http://www.math.columbia.edu/~woit/wordpress/?p=6243 > Good article :) The overall picture I had about EC is more or less the same as described in the article. But you always have to make a threat analysis and it depends on the private data you are protecting. By definition any private data will be disclosed given enough time and resources. > > So if your adversary is NSA... Well protecting the communication of regular internet user and your production server with SSL and x509 certificates will just not secure the content. I'm 100% certain that NSA has access to at least one CA root certificates private keys. With those they can do a man-in-the-middle attack that the regular user will most likely never spot. > > I my own security model I'm protected from NSA by the fact that it will disappear in the flow of all other traffic because NSA is not stealing credit card numbers :) ECDSA with ECDHE is fast and secure according to public sources. > > The problem is totally different if you are protecting the secrets of your company that are within the interest of NSA. I'm lucky I don't have to try that. > On this topic about NSA, I read a article that claimed the NSA was able to view httpS traffic live or close to live since they had some backdoor access keys. I don't recall where the article was but since this is a knowledgeable bunch, is this true? If for example I go to my bank or credit card website, can they "easily" view that traffic? One reason this jumped out at me was that in the article, it was claimed that a group of people was going to rewrite the code/software/whatever for httpS and other encryption tools. If someone has links to such info for me to read and pass on to others, that would be great too. Thanks. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!