lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 13 Apr 2016 17:09:02 +0200
From: Sebastian <sebb@...b767.de>
To: Árpád Magosányi <mag@...was.rulez.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] end of useable crypto in browsers?

Hey,

> This is not a security vulnerability in itself, "just" a trend
> undermining the trust architecture of the whole internet :)
> [...]
> Any ideas on how to make them understand the scale of the doom we are
> facing right now?

to put it simply: No.

The real problem is that no one is using it. Yes, it is pretty secure, 
but its too much trouble for most users (try to log in from your phone) 
and also a baseless PITA for most server operators. It's also not good 
for business (you need to be able to restore the certificate easily, 
have multiple devices, all your servers need https ...). To make matters 
worse many browser don't even bother supporting it (looking at you, 
internet explorer^W^Wedge).

To be fully honest, I'd prefer to keep it. Yes, browser support is bad 
and hardly anyone uses it, but it doesn't hurt anyone and at least there 
are/were some users (i.e. StartSSL). But to truly convince them, you'd 
probably need
a) support from at least a major browser. If the other "cool kids" don't 
do it, good luck getting this through.
b) an example of the "doom" we're facing, because neither them nor me 
sees it. The web would hardly be less secure, same as if we'd drop SQRL: 
Yes, it's pretty secure as far as I can tell, but who is using it and 
would therefore be less secure anyway?

Here's a related discussion: 
https://groups.google.com/forum/#!msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ 
.

Greetings,
Sebastian

Am 2016-04-09 11:34, schrieb Árpád Magosányi:
> Hi,
> 
> This is not a security vulnerability in itself, "just" a trend
> undermining the trust architecture of the whole internet :)
> 
> I think it is very important, and wonder why I don't see any discussion
> of it. If this is not the right forum to discuss it, please direct me 
> to
> the right place.
> 
> The problem is:
> 
> Browser developers are dropping support for X509 key generation.
> Yes, <keygen> have its problems. But window.crypto - which is meant to
> replace it - have no way to save keys in the browser's keystore.
> 
> Instead of going to some cross-browser and cross-OS support for key
> management, we are now in a state where there are browser/OS
> combinations (stable chrome with non-windows OS), where there is no way
> to generate and store a key to be later used for ssl authentication.
> 
> Looking at the related bug reports it seems that browser developers do
> not even understand the problem this creates.
> 
> Any ideas on how to make them understand the scale of the doom we are
> facing right now?
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

-- 

A great many of today's security technologies are "secure" only because 
no-one has ever bothered attacking them.
-- Peter Gutmann

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ