lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 Apr 2016 16:19:02 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: sebb@...b767.de, Árpád Magosányi
 <mag@...was.rulez.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] end of useable crypto in browsers?



Am 14.04.2016 um 00:54 schrieb Sebastian:
>> The browser developers have just decided that the trust relationship
>> architecture of the virtual world will be driven by the copyright
>> dinosaurs  from now on, by pulling off platform support from under those
>> who were experimenting with building meaningful trust models with the
>> admittedly few tools we already had.
>> [...]
>> The sociological and political fabric of society fundamentally depends
>> on our communication abilities. The future of our communication
>> abilities in turn depends on the communication platforms and the trust
>> relation models they support.
>
> That's true. But the keygen element is flawed by the known-broken CA
> system(*) and you can't build a secure house on a broken foundation. You
> could check whether the certificate for your site is issued by your CA,
> but if the can issue certificates they could simply attack your browsers
> updater. Our only hope for truly secure communication are tools like pgp
> combined with anonymity through for example TOR or freenet (not the ISP)

how do you come to the conclusion that you need any 3rd party CA for a 
client certificate which you accept on your server?




Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ