https://www.techdirt.com/articles/20140721/11362227955/carnegie-mellon-kills-black-hat-talk-about-identifying-tor-users.shtml
Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps
Because It Broke Wiretapping Laws
from the questionable-legality dept
There's some buzz in
On Fri, Jul 18, 2014 at 12:22 PM, Denis 'GNUtoo' Carikli
gnu...@no-log.org wrote:
...
If the adversary looses one exploit each times he attacks someone, then...
perhaps someone to help answer the question is Google, if they felt inclined.
per re:publica 2014 - Morgan Marquis-Boire: Fear and
On 07/19/14 11:13, carlo von lynX wrote:
On Fri, Jul 18, 2014 at 7:59 AM, Lorenzo Franceschi-Bicchierai
lorenzo...@gmail.com wrote:
I was wondering if it's time to make a list of not-so-good snakeoil
encryption services that have popped up after the Snowden revelations.
Let's look at the
You should stop using statements like you don't know what your are
doing, etc or I will reply the same way.
I am participating to different W3C lists like CSP, Webapps co and to
WebCrypto as a (not very active) member, so I know very well what's the
state of the art, surprisingly I don't see
Thanks for your comments, please see mine below.
Le 22/07/2014 03:40, coderman a écrit :
On Mon, Jul 21, 2014 at 5:52 PM, Aymeric Vitte vitteayme...@gmail.com wrote:
... including your focus on elementary mitm
issue, your arguments and judgement are so basic that I am wondering why I
am
Interesting thoughts, please see my comments below.
Le 22/07/2014 03:48, Seth David Schoen a écrit :
Aymeric Vitte writes:
You obviously don't know what you are talking about or just did not
get what I explained or just do not understand http versus https or
the contrary, or just do not
On 07/22/14 13:47, Aymeric Vitte wrote:
I am thinking about these issues since quite some time, unfortunately I
reached the conclusion that you can not secure the code loading.
A humble suggestion:
With https, a self signed server certificate, a DANE record of that
certificate in DNSSEC and a
On Tue, Jul 22, 2014 at 11:12 AM, Guido Witmond gu...@witmond.nl wrote:
That way you could host all your javascript at the site. (but not at the
CDN).
If Subresource Integrity (SRI) were actually implemented by browsers,
serving JS via a CDN would be fine (and could even be done safely over
On Tue, Jul 22, 2014 at 4:47 AM, Aymeric Vitte vitteayme...@gmail.com
wrote:
Indeed extensions can be mitmed as easily as js code
Browser extensions are digitally signed by their authors, so no, they are
in no way as vulnerable to a MitM attack as JS served over plaintext HTTP:
Answering to the three last answers in one time.
Le 22/07/2014 20:44, Tony Arcieri a écrit :
Of course, we're still left with the bootstrapping problem of getting
an authentic parent page.
So finally you have highlighted the main issue, this is valid for
extensions too, this is why the
On 22/07/2014 20:44, Tony Arcieri wrote:
On Tue, Jul 22, 2014 at 11:12 AM, Guido Witmond gu...@witmond.nl
mailto:gu...@witmond.nl wrote:
That way you could host all your javascript at the site. (but not
at the
CDN).
If Subresource Integrity (SRI) were actually implemented by
On Tue, Jul 22, 2014 at 4:38 PM, Aymeric Vitte vitteayme...@gmail.com
wrote:
And checking what is doing a 400 kB js code is trivial for any serious js
dev
This assertion is completely ludicrous, especially when you're talking
about trying to find a potentially stealthy malicious payload in
12 matches
Mail list logo