lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Sep 2010 18:58:53 +0530
From: Shreyas Zare <shreyas@...fence.com>
To: Tim <tim-security@...tinelchicken.org>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: [GOATSE SECURITY] Clench: Goatse's way to say
 "screw you" to certificate authorities

Hi,

I totally agree with Tim. SSL is fragile but the mentioned protocol
basically creates the same problems which is why PKI was created to solve.

Regards,

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


On Thu, Sep 9, 2010 at 1:00 AM, Tim <tim-security@...tinelchicken.org>wrote:

> > > This is no different then installing a client cert
> >
> > Yes, exactly. This is as equally secure as installing a client cert.
> > Except it is achieved without a client cert, using only a password, in
> > a manner that can be more easily scaled to lots of users.
>
> Um... I think you have it backwards.  Public key crypto scales,
> symmetric does not.  How many unique passwords do you use for the
> dozens/hundreds of websites you have an account with?  Scalability
> with people is what matters.  Current websites and client software do
> not make it easy to use one certificate for many sites, but this
> strategy scales much better.
>
> The core difference between the two is that the number of unique keys
> needed to carry on private converstations in a group of entities grows
> O(n^2) with symmetric keys and O(n) with public keys.  I'm sure you
> realize this though.
>
> tim
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ