Mick wrote:
> On Friday 18 Apr 2014 15:27:12
Dale wrote:
>>
>>
>> On this topic about NSA, I read a article that claimed
the NSA was able
>> to view httpS traffic live or close to live since they
had some backdoor
>> access keys. I don't recall where the article was but
since this is a
>> knowledgeable bunch, is this true? If for example I go
to my bank or
>> credit card website, can they "easily" view that traffic?
>
> If your bank was using certain versions of openssl over the
last two years,
> then *any* attacker who knew of the heartbleed bug would have
been able to
> steal the private key of the server and decrypt all
communications with it.
> It is rumoured (but could be FUD) NSA are likely to have
known of this
> vulnerability for at least since November 2013.
I'm a little vague on some things but it seems the claim was that
NSA had some sort of backdoor that was built in from the beginning
of the project for encryption which sounded like it would include
httpS and others. Again, the details are fuzzy. I would say that I
need to bookmark this sort of thing but I already have so many
bookmarks that it is very hard to dig through them as it is. Adding
more may be counterproductive, yet again.
>
>
>> One reason this jumped out at me was that in the article,
it was claimed
>> that a group of people was going to rewrite the
code/software/whatever
>> for httpS and other encryption tools.
>>
>> If someone has links to such info for me to read and pass
on to others,
>> that would be great too.
>
> HTTPS on its own does not mean much, if it is using insecure
(less secure)
> algorithms. RC4 and DES are no longer considered secure, but
there are
> websites and browsers that still use them in preference to
more secure
> cryptos. Some elliptic curves based algorithms peddled by
NIST at the behest
> of NSA are now considered suspicious, if not downright
compromised by design.
>
> http://safecurves.cr.yp.to/
>
Neat link. Lots of red stuff, which I assume is bad. ;-) Will
dive into that more later on.
Thanks.
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you
understood or how you interpreted my words!