lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <2845E0BC-7F7F-40DB-BD2E-84706AC863F1@gmail.com>
Date: Fri, 4 Mar 2011 08:14:10 -0800
From: bk <chort0@...il.com>
To: full-disclosure <Full-Disclosure@...ts.grok.org.uk>,
	Michael Krymson <krymson@...il.com>
Subject: Re: Python ssl handling could be better...

On Mar 4, 2011, at 7:53 AM, Michael Krymson wrote:

> The problem with this discussion is simply one of definition of security. For some, security is entirely black and white. 

I can't speak for others, but I don't see anything as black & white.  What I'm railing against is FALSE security.  If it can be trivially broken, it shouldn't be labeled as security.  Python has an incomplete implementation of SSL.  The protocol was not designed to be used w/o authentication.  It's lazy people who took it out.  One cannot implement a lock without pins.  If anyone can walk up and turn the plug, it has no value and if someone is selling that to you to make your house safe, they would be sued.

If we're talking about whether a certain key length would take 20 years vs. implementing more operations to make it last for 50 years, that's a discussion of acceptable levels of risk and it comes down to what's appropriate for the data you're protecting.  If you're talking about whether it takes 5 minutes to download a sniffing program vs. taking 10 minutes to download and configure tools to MITM a connection, that's not shades of grey.  It's freakin broken.

>  
> These people probably tend to be those who've actually had jobs in general digital defense...

LOL, really?  Have you seen http://extendedsubset.com/?page_id=2 (Marsh Ray)?  What about http://www.sentinelchicken.com/advisories/ (Tim).  

I've worked in security roles since 2000 and I'm credited in http://support.apple.com/kb/HT2009 .

--
chort


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ