Re: [cryptography] not a Paypal phish using EV certificate
To: James, just with the scope of large/small cookies. The problem is that if your cookie is a single number and you have multiple frontends able to process the request (and you are load balancing) you need to have those share state in which might not make sense (esp. if you have geo-distributed LB that allows users to migrate between different data centers because at that point you need to account for cross data center latency). So usually people end up putting the state data in the cookie and then sign it in some way. Sometimes the large and multiple cookies are a matter of low level of coordination between teams writing different parts of the app/libraries, and sometimes it's pure incompetency :) Regarding multiple domains, one of the reasons is the larger companies would push the static content to CDN and only keep the core logic on site, thus accelerating delivery. In addition to that in PP's case they are moving to the CDN a lot of user provided content so combine that with what was already said about separating the domain so cookies cannot be stolen. Best, Krassi On Tue, Aug 13, 2013 at 4:38 PM, Seth David Schoen sch...@eff.org wrote: James A. Donald writes: Although websites often use huge numbers of huge cookies, one can easily optimize one's cookie use. I can see no reason why anyone would ever need more than a single 96 bit cookie that is a random number. They might want to make the content and purpose of the cookie transparent to the user, and perhaps even reassure the user that the cookie can't easily be used as a unique identifier for the user's browser. On the flip side, there are also some mechanisms to store authenticated, encrypted session state in its entirety on the client in order to _avoid_ storing it in a database on the server. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service
On Wed, Aug 14, 2013 at 09:47:09AM +1000, James A. Donald wrote: On 2013-08-14 6:10 AM, Nico Williams wrote: - it's really not easy to defeat the PRISMs. the problem is *political* more than technological. For a human to read all communications would be an impossible burden. We're rapidly approaching that point where judge, jury and executioner are completely automated. As such neither scaling issues of Stasi (at some point some half of the population were informants) nor quis custodiet are a problem. Instead, apply the following algorithm. Identify people of interest. Read communications between persons of interest. If several people of interest talk to Bob, then Bob may well also a person of interest. /Then/ read their communications. If significant, add Bob to the list of people of interest. IIRC there's already collection on three degrees of separation in place, and that is already a fair fraction of the global population so at least part of the judging is already automated. Looking at communication patterns, Identify the more central nodes among people of interest. Make a special effort to crack the communications of the most central nodes. The technological counter to this is the cypherpunks remailers, which are unfortunately user hostile, especially when used with a permanent identity. How badly bitrotted is the codebase? With the current threat model it looks like high-latency anonymous networks could well use a revival. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Examples of Boneh/Silverberg Multilinear Forms
In Applications of Multilinear Forms to Cryptography, Boneh and Silverberg cite Weil and Tate pairings as examples. Are there others? Cheers, Scott ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Examples of Boneh/Silverberg Multilinear Forms
The Weil and Tate pairings give (cryptographically useful) *bilinear* maps. Cryptographically useful *multilinear* maps were unknown until recently: https://eprint.iacr.org/2012/610 https://eprint.iacr.org/2013/183 On Wed, Aug 14, 2013 at 11:27 AM, Scott Guthery s...@acw.com wrote: In Applications of Multilinear Forms to Cryptography, Boneh and Silverberg cite Weil and Tate pairings as examples. Are there others? Cheers, Scott __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Introducing Bletchley
I've made an initial release of Bletchley, which is a collection of cryptanalysis tools I've been working on for a while. The focus of the project is to make black-box detection and exploitation of common cryptography problems easier. Bletchley is still in the early stages of development and consists of tools which provide: * Automated token encoding detection (36 encoding variants) * Passive ciphertext block length and repetition analysis * Script generator for efficient automation of HTTP requests * A flexible, multithreaded padding oracle attack library with CBC-R support More info can be found here: https://code.google.com/p/bletchley/ I'd love to hear any feedback. Also note, I am teaching a 2-day course on application cryptanalysis class at AppSec USA that will rely heavily on Bletchley to implement realistic attacks in a lab environment. Schedule and info here: http://sched.co/19n00R5 Thanks, tim ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Introducing Bletchley
Hi coderman, cool! the threading support is useful, however, no native optimizations yet - is this on the radar? how about workers with OpenCL / CUDA kernels? Well, the goal of multithreading with POA is to overcome network latency. Almost all of the attacks I implement are online attacks against web apps. POA doesn't require much CPU, it just requires sending lots of requests, retrieving an average of 1/8th of a bit of information per request (or thereabouts). As we add interesting offline attacks, CUDA/OpenCL or something similar would make a lot of sense though. issues sect. of project is empty; no links to a mailing list. where is technical discussion best directed? It is a young project. This first release and notice was just to generate some buzz and see who is interested in using it and/or contributing. Feel free to post an issue to the Google code site if you have any specific questions or just email me privately. I can set up a mailing list once there's enough chatter. Best regards, tim ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Introducing Bletchley
On Wed, Aug 14, 2013 at 9:15 PM, Timothy D. Morgan tmor...@vsecurity.com wrote: ... Well, the goal of multithreading with POA is to overcome network latency. Almost all of the attacks I implement are online attacks against web apps. POA doesn't require much CPU, it just requires sending lots of requests, right; perhaps this isn't useful yet. i was thinking of some particular very large socket and event handling in a native module, however, on second thought this may not be needed and where such optimization is useful it seems i can use an existing module... ... Feel free to post an issue to the Google code site if you have any specific questions or just email me privately. I can set up a mailing list once there's enough chatter. please do setup a mailing list or google group if not too much trouble. as for the feedback, not really a bug. here is some tuning i was playing with for launching with many many threads/sockets on linux. ymmv :) --- NOTE: this config may require 16G or mem or more depending on application and load. # disable conntrack if possible iptables -t raw -A notracking -j NOTRACK # append to /etc/security/limits.conf # launch new session, then raise ulimit s * softnofile 65535 * hardnofile 1048576 # echo for sysctl.conf; sysctl -p /etc/sysctl.conf fs.file-max = 262140 net.core.somaxconn = 1048576 net.core.netdev_max_backlog = 2500 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_mem = 4096 87380 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.tcp_max_syn_backlog = 2500 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_sack = 0 net.ipv4.tcp_dsack = 0 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_fin_timeout = 5 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography