Re: [cryptography] a little help with cookies please
On 2015-09-16 11:40, Givon Zirkind wrote: is it correct that [web page] cookies are trully local? Web page cookies are always sent to the server. And what is truly evil is that umpteen different websites may include a link to google, which sends google the google cookies, so that google knows that it is the same person on many different websites. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] a little help with cookies please
is it correct that [web page] cookies are trully local? is it correct, that they are not passed to the server when a submit button is pressed unless specifically sent. unlike [web page] form data which is automatically passed to the server. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] JYA and Cryptome Keys Compromised
Correct analysis. First was get out a prompt notice to wave off users, then proceed with other authentications. Toughest problem is how to avoid another compromise of new keys since so many ways to do that have arisen and/or suspected over the life of PGP and other systems. WoT is problematic too, as are key signing parties, and so on. Other systems claim to be better, and we are using some of them, waiting and watching and suspecting are the lessons learned from stalwart testbed PGP in all its guises and disguises. We likely would not have discovered the compromises if not for those lessons. Nor do we mind starting from scratch, perhaps a bit more often than 11 years. Tornados do happen out side alleys of easy prediction (this is not a cyphersec sales motto). At 04:22 PM 9/15/2015, Paul Wouters wrote: On Tue, 15 Sep 2015, John Young wrote: > -BEGIN PGP SIGNED MESSAGE- by unknown key. > I have learned today that all PGP public keys of John Young >and Cryptome have been > compromised. > The keys have been revoked today. Revocation could have been done by the person who stole the keys too. That in itself is not good enough. > Two new keys have been generated today: > > John Young 15-0915 0xD87D436C > Cryptome 15-0915 0x8CD47BD5 Which I cannot find on either pgp.mit.edu or pgp.surfnet.nl. I did find them on keyserver.pgp.com, but I don't know who runs it and with the additional captcha software, no idea if that is compromised :P It is announced using short keyids, not to be trusted, and no finger prints although we can get those from the key used to sign this message I guess. $ gpg --list-sigs D87D436C pub 4096R/D87D436C 2015-09-15 uid John Young 15-0915 sig N D87D436C 2015-09-15 John Young 15-0915 sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/79F82F3B 2015-09-15 sig D87D436C 2015-09-15 John Young 15-0915 $ gpg --list-sigs 8CD47BD5 pub 4096R/8CD47BD5 2015-09-15 uid Cryptome 15-0915 sig N 8CD47BD5 2015-09-15 Cryptome 15-0915 sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/27BCF5FB 2015-09-15 sig 8CD47BD5 2015-09-15 Cryptome 15-0915 The keys are both announced but not signed by each other? I fetched CA57AD7C which has 6863 signatures on it. It seems to be some PGP global directory key, signed by a few people I know, but still seems to be only proof that it came from the keyserver, not that the key actually belongs to you. > This message is signed by the first. But is that first key signed by the old keys? (which of course could also have been done by the attacker, so you need to re-start a web of trust with some of your personal confidants. > -BEGIN PGP SIGNATURE- from an unknown key - with no direct signatures of any known trustable key run by a human. Paul ___ The cryptography mailing list cryptogra...@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] JYA and Cryptome Keys Compromised
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 15 September 2015 I have learned today that all PGP public keys of John Youngand Cryptome have been compromised. The keys have been revoked today. Two new keys have been generated today: John Young 15-0915 0xD87D436C Cryptome 15-0915 0x8CD47BD5 This message is signed by the first. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wsFVAwUBVfhrXUkY+k7YfUNsAQgyeQ/+PA604lj8ZrZq9qnRMsbA86DdGPUyrdub IWlQSpp5wyMMQG4VegjG7iwXBt6GftKQFLKuW527wGxaxIBJj1n2GhCMkn7mko1s u107yQ5WVfJUTOHgazi2viuw8v3ixmJ/GcdvEeGCL23ErgGwvI6+JilmkP7vonmu 73ckavqrs6VvUJjjwzoIbgvXxsp+oqKT5EgZqfroQOaaz3e4AjipxwMav2VMqVTl xZdHlp/QGab8Cet17NnDsNmN38YWT5t4pU1tL+0aN9jf7Vy+Jzx5g8nMk0e7ogzz vg8ioWs3EkxJbjQaWK5/COjoYLjIZn6H5zUJgIBRtqsnbfNUcQisCNbwx1fNRGwq DItG/jeHp65q6eDxFVWGkptDuZKUH4fGuiiRMxIySrj1CA1+9M5Q+m2TxnL/SFNU AIfupcGWhtXXa1ZN70LT3fnIu9y9B5mQLSshn14eekD3t0nb+OkL+XEC0nJqnfVD xOOqAjHQj1ytEfHSKb+i+/tHTCCTOKeaHM3JGE6qIawrn+aRfKsnGK9t+JiVEtyx 1d+L0gHwtcUd5MWQJdCMHoM10ri5cgx0A6su+lYnLgOcXYD3uHSVIdp1cSf3Wzwb 3MrO2BqqhL5y1Ip3Cfv+h+eXaZWWMr5w97kjSOYD/lwb61iA1tpWLkgiuUGBGrFb 32VkU7sMt4E= =Q9BO -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] JYA and Cryptome Keys Compromised
On Tue, 15 Sep 2015, John Young wrote: -BEGIN PGP SIGNED MESSAGE- by unknown key. I have learned today that all PGP public keys of John Youngand Cryptome have been compromised. The keys have been revoked today. Revocation could have been done by the person who stole the keys too. That in itself is not good enough. Two new keys have been generated today: John Young 15-0915 0xD87D436C Cryptome 15-0915 0x8CD47BD5 Which I cannot find on either pgp.mit.edu or pgp.surfnet.nl. I did find them on keyserver.pgp.com, but I don't know who runs it and with the additional captcha software, no idea if that is compromised :P It is announced using short keyids, not to be trusted, and no finger prints although we can get those from the key used to sign this message I guess. $ gpg --list-sigs D87D436C pub 4096R/D87D436C 2015-09-15 uid John Young 15-0915 sig N D87D436C 2015-09-15 John Young 15-0915 sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/79F82F3B 2015-09-15 sig D87D436C 2015-09-15 John Young 15-0915 $ gpg --list-sigs 8CD47BD5 pub 4096R/8CD47BD5 2015-09-15 uid Cryptome 15-0915 sig N 8CD47BD5 2015-09-15 Cryptome 15-0915 sig CA57AD7C 2015-09-15 [User ID not found] sub 4096R/27BCF5FB 2015-09-15 sig 8CD47BD5 2015-09-15 Cryptome 15-0915 The keys are both announced but not signed by each other? I fetched CA57AD7C which has 6863 signatures on it. It seems to be some PGP global directory key, signed by a few people I know, but still seems to be only proof that it came from the keyserver, not that the key actually belongs to you. This message is signed by the first. But is that first key signed by the old keys? (which of course could also have been done by the attacker, so you need to re-start a web of trust with some of your personal confidants. -BEGIN PGP SIGNATURE- from an unknown key - with no direct signatures of any known trustable key run by a human. Paul ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography