> On 12.07.2016 г., at 12:12, Matthew Seaman <matt...@freebsd.org> wrote:
> I'm also curious as to how far these regulations are supposed to extend.
> Presumably traffic which is merely transiting Russian territory isn't
> covered, at least in a practical sense.  How about people from Russia
> accessing foreign websites?  I can't see any of the big Internet players
> implementing GOST in any locations outside Russia any time soon.
> Neither would I as a non-Russian have GOST capabilities client-side, so
> what happens if I go and look at say a YandX website over HTTPS?  Putin
> and his advisors aren't stupid, and they'd already have considered all
> this; plus, as you say, the timetable is clearly impossible; so there
> must be something else going on here.

The standard HTTPS implementation is already sufficiently broken, with the door 
wide open by the concept of “multiple CAs”. The protocol design is flawed, as 
any CA can issue certificate for any site. Applications are required to trust 
that certificates, as long as they trust the CA that issued them.

It is trivial to play MTIM with this protocol and in fact, there are 
commercially available “solutions” for “securing one’s corporate network” that 
doe exactly that. Some believe this is with the knowledge and approval of the 
corporation, but who is to say what the black box actually does and whose 
interests it serves?

There is of course an update to the protocol, DANE, that just shuts this door 
off. But… it faces heavy resistance, as it’s acceptance would mean the end of 
the lucrative CA business and the ability to intercept “secure” HTTPS 
communication. Those relying on the HPPTS flaws will never let it become wide 

In summary — anyone can sniff HTTPS traffic. No need for any cipher backdoors 
here. Nor any need for GOST to be involved.

> Of course, now there's fairly good evidence that there's some sort of
> backdoor in the GOST ciphers, all bets are off on how long it will be
> until they get broken in a very public manner.

One can say the same for any other crypto. Plus, for some ciphers there is 
already evidence.. yet they are still in use.
But, a good show is always worth it. Let’s watch for those heroes. :)


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to