public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Dale <rdalek1967@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Fri, 18 Apr 2014 13:08:21 -0500	[thread overview]
Message-ID: <53516A15.3010305@gmail.com> (raw)
In-Reply-To: <201404181745.01433.michaelkintzios@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2179 bytes --]

Mick wrote:
> On Friday 18 Apr 2014 15:27:12 Dale wrote:
>>
>>
>> On this topic about NSA, I read a article that claimed the NSA was able
>> to view httpS traffic live or close to live since they had some backdoor
>> access keys.  I don't recall where the article was but since this is a
>> knowledgeable bunch, is this true?  If for example I go to my bank or
>> credit card website, can they "easily" view that traffic?
>
> If your bank was using certain versions of openssl over the last two
years,
> then *any* attacker who knew of the heartbleed bug would have been
able to
> steal the private key of the server and decrypt all communications
with it. 
> It is rumoured (but could be FUD) NSA are likely to have known of this
> vulnerability for at least since November 2013.

I'm a little vague on some things but it seems the claim was that NSA
had some sort of backdoor that was built in from the beginning of the
project for encryption which sounded like it would include httpS and
others.  Again, the details are fuzzy.  I would say that I need to
bookmark this sort of thing but I already have so many bookmarks that it
is very hard to dig through them as it is.  Adding more may be
counterproductive, yet again.


>
>
>> One reason this jumped out at me was that in the article, it was claimed
>> that a group of people was going to rewrite the code/software/whatever
>> for httpS and other encryption tools.
>>
>> If someone has links to such info for me to read and pass on to others,
>> that would be great too.
>
> HTTPS on its own does not mean much, if it is using insecure (less
secure)
> algorithms.  RC4 and DES are no longer considered secure, but there are
> websites and browsers that still use them in preference to more secure
> cryptos.  Some elliptic curves based algorithms peddled by NIST at the
behest
> of NSA are now considered suspicious, if not downright compromised by
design.
>
>   http://safecurves.cr.yp.to/
>

Neat link.  Lots of red stuff, which I assume is bad.  ;-)  Will dive
into that more later on.

Thanks.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!


[-- Attachment #2: Type: text/html, Size: 3220 bytes --]

  reply	other threads:[~2014-04-18 18:08 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-16 10:52 [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Tanstaafl
2014-04-16 11:14 ` Matti Nykyri
2014-04-16 17:56   ` Tanstaafl
2014-04-17  5:59     ` Matti Nykyri
2014-04-17  6:10     ` Mick
2014-04-17 14:40       ` Matti Nykyri
2014-04-17 15:49         ` Mick
2014-04-17 16:54           ` Joe User
2014-04-17 18:43           ` Matti Nykyri
2014-04-17 20:17             ` [gentoo-user] " walt
2014-04-18  5:50               ` Matti Nykyri
2014-04-18 14:27                 ` Dale
2014-04-18 16:45                   ` Mick
2014-04-18 18:08                     ` Dale [this message]
2014-04-18 19:01                       ` Mick
2014-04-18 20:27                         ` Dale
2014-04-18 23:33                           ` Mick
2014-04-19 15:29                             ` Dale
2014-04-19 15:43                               ` Matti Nykyri
2014-04-19 19:33                                 ` Dale
2014-04-19 19:43                                   ` Joe User
2014-04-19 21:23                                     ` Dale
2014-04-20  0:18                                 ` Peter Humphrey
2014-04-20  8:49                                   ` Mick
2014-04-20  9:21                                     ` Matti Nykyri
2014-04-20 10:26                                       ` Mick
2014-04-19 16:11                               ` Mick
2014-04-19 18:41                                 ` Dale
2014-04-20  8:27                                   ` Mick
2014-04-20  9:10                                     ` Dale
2014-04-20 12:38                                       ` Mick
2014-04-20 16:40                                         ` Matti Nykyri
2014-04-20 17:20                                           ` Joe User
2014-04-21  6:57                                             ` Matti Nykyri
2014-04-20 18:36                                         ` Dale
2014-04-19 11:51             ` [gentoo-user] " Mick
2014-04-19 13:17               ` Joe User
2014-04-19 15:38                 ` Matti Nykyri
2014-04-19 16:40                   ` Joe User
2014-04-19 17:14                 ` Mick
2014-04-20 23:20                 ` Mick
2014-04-21  7:11                   ` Matti Nykyri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53516A15.3010305@gmail.com \
    --to=rdalek1967@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox