lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 Apr 2016 16:30:55 +0200
From: Sebastian <sebb@...b767.de>
To: Reindl Harald <h.reindl@...lounge.net>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] end of useable crypto in browsers?

Am 2016-04-14 16:19, schrieb Reindl Harald:
> Am 14.04.2016 um 00:54 schrieb Sebastian:
>>> [...]
>> 
>> That's true. But the keygen element is flawed by the known-broken CA
>> system(*) and you can't build a secure house on a broken foundation. 
>> You
>> could check whether the certificate for your site is issued by your 
>> CA,
>> but if the can issue certificates they could simply attack your 
>> browsers
>> updater. Our only hope for truly secure communication are tools like 
>> pgp
>> combined with anonymity through for example TOR or freenet (not the 
>> ISP)
> 
> how do you come to the conclusion that you need any 3rd party CA for a
> client certificate which you accept on your server?

I don't. But even if you roll your own CA, you'll have a hard time 
avoiding someone with a wildcard CA (updater, every other page you open, 
...). Also, to use <keygen> you need to have a secure connection 
beforehand (or use http, which would make every MITM happy). Now it is 
possible to work around this, too, but then you may as well use fully 
encrypted channel.

The actual point of the paragraph is that this won't kill our protection 
from the big companies. Those are probably even the ones using it the 
most.


Greetings,
Sebastian

-- 

A great many of today's security technologies are "secure" only because 
no-one has ever bothered attacking them.
-- Peter Gutmann

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ