Re: [cryptography] a little help with cookies please

2015-09-15 Thread James A. Donald 

On 2015-09-16 11:40, Givon Zirkind wrote:

is it correct that [web page] cookies are trully local?


Web page cookies are always sent to the server.

And what is truly evil is that umpteen different websites may include a 
link to google, which sends google the google cookies, so that google 
knows that it is the same person on many different websites.


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] a little help with cookies please

2015-09-15 Thread Givon Zirkind 
is it correct that [web page] cookies are trully local?  is it correct, 
that they are not passed to the server when a submit button is pressed  
unless specifically sent.  unlike [web page] form data which is 
automatically passed to the server.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] JYA and Cryptome Keys Compromised

2015-09-15 Thread John Young 

Correct analysis. First was get out a prompt notice to wave off users,
then proceed with other authentications. Toughest problem is how to
avoid another compromise of new keys since so many ways to do
that have arisen and/or suspected over the life of PGP and other
systems. WoT is problematic too, as are key signing parties, and
so on. Other systems claim to be better, and we are using some of
them, waiting and watching and suspecting are the lessons learned
from stalwart testbed PGP in all its guises and disguises.

We likely would not have discovered the compromises if not for
those lessons.

Nor do we mind starting from scratch, perhaps a bit more often
than 11 years. Tornados do happen out side alleys of easy
prediction (this is not a cyphersec sales motto).

At 04:22 PM 9/15/2015, Paul Wouters wrote:
On Tue, 15 Sep 2015, John Young wrote: > -BEGIN PGP SIGNED 
MESSAGE- by unknown key. > I have learned today that all PGP 
public keys of John Young >  and Cryptome 
 have been > compromised. > The keys have 
been revoked today. Revocation could have been done by the person 
who stole the keys too. That in itself is not good enough. > Two new 
keys have been generated today: > > John Young 15-0915 
 0xD87D436C > Cryptome 15-0915 
 0x8CD47BD5 Which I cannot find on either 
pgp.mit.edu or pgp.surfnet.nl. I did find them on keyserver.pgp.com, 
but I don't know who runs it and with the additional captcha 
software, no idea if that is compromised :P It is announced using 
short keyids, not to be trusted, and no finger prints although we 
can get those from the key used to sign this message I guess. $ gpg 
--list-sigs D87D436C pub   4096R/D87D436C 2015-09-15 
uid  John Young 15-0915  
sig  N   D87D436C 2015-09-15  John Young 15-0915 
 sig  CA57AD7C 2015-09-15  [User ID not 
found] sub   4096R/79F82F3B 2015-09-15 sig  D87D436C 
2015-09-15  John Young 15-0915  $ gpg --list-sigs 
8CD47BD5 pub   4096R/8CD47BD5 2015-09-15 
uid  Cryptome 15-0915  
sig  N   8CD47BD5 2015-09-15  Cryptome 15-0915 
 sig  CA57AD7C 2015-09-15  [User ID 
not found] sub   4096R/27BCF5FB 2015-09-15 sig  8CD47BD5 
2015-09-15  Cryptome 15-0915  The keys are 
both announced but not signed by each other? I fetched CA57AD7C 
which has 6863 signatures on it. It seems to be some PGP global 
directory key, signed by a few people I know, but still seems to be 
only proof that it came from the keyserver, not that the key 
actually belongs to you. > This message is signed by the first. But 
is that first key signed by the old keys? (which of course could 
also have been done by the attacker, so you need to re-start a web 
of trust with some of your personal confidants. > -BEGIN PGP 
SIGNATURE- from an unknown key - with no direct signatures of 
any known trustable key run by a human. Paul 
___ The cryptography 
mailing list cryptogra...@metzdowd.com 
http://www.metzdowd.com/mailman/listinfo/cryptography



___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] JYA and Cryptome Keys Compromised

2015-09-15 Thread John Young 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

15 September 2015

I have learned today that all PGP public keys of John Young
 and Cryptome  have been
compromised.
The keys have been revoked today.

Two new keys have been generated today:

John Young 15-0915  0xD87D436C
Cryptome 15-0915  0x8CD47BD5

This message is signed by the first.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wsFVAwUBVfhrXUkY+k7YfUNsAQgyeQ/+PA604lj8ZrZq9qnRMsbA86DdGPUyrdub
IWlQSpp5wyMMQG4VegjG7iwXBt6GftKQFLKuW527wGxaxIBJj1n2GhCMkn7mko1s
u107yQ5WVfJUTOHgazi2viuw8v3ixmJ/GcdvEeGCL23ErgGwvI6+JilmkP7vonmu
73ckavqrs6VvUJjjwzoIbgvXxsp+oqKT5EgZqfroQOaaz3e4AjipxwMav2VMqVTl
xZdHlp/QGab8Cet17NnDsNmN38YWT5t4pU1tL+0aN9jf7Vy+Jzx5g8nMk0e7ogzz
vg8ioWs3EkxJbjQaWK5/COjoYLjIZn6H5zUJgIBRtqsnbfNUcQisCNbwx1fNRGwq
DItG/jeHp65q6eDxFVWGkptDuZKUH4fGuiiRMxIySrj1CA1+9M5Q+m2TxnL/SFNU
AIfupcGWhtXXa1ZN70LT3fnIu9y9B5mQLSshn14eekD3t0nb+OkL+XEC0nJqnfVD
xOOqAjHQj1ytEfHSKb+i+/tHTCCTOKeaHM3JGE6qIawrn+aRfKsnGK9t+JiVEtyx
1d+L0gHwtcUd5MWQJdCMHoM10ri5cgx0A6su+lYnLgOcXYD3uHSVIdp1cSf3Wzwb
3MrO2BqqhL5y1Ip3Cfv+h+eXaZWWMr5w97kjSOYD/lwb61iA1tpWLkgiuUGBGrFb
32VkU7sMt4E=
=Q9BO
-END PGP SIGNATURE-


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] JYA and Cryptome Keys Compromised

2015-09-15 Thread Paul Wouters 

On Tue, 15 Sep 2015, John Young wrote:


-BEGIN PGP SIGNED MESSAGE-


by unknown key.


I have learned today that all PGP public keys of John Young
 and Cryptome  have been
compromised.
The keys have been revoked today.


Revocation could have been done by the person who stole the keys too.
That in itself is not good enough.


Two new keys have been generated today:

John Young 15-0915  0xD87D436C
Cryptome 15-0915  0x8CD47BD5


Which I cannot find on either pgp.mit.edu or pgp.surfnet.nl. I did find
them on keyserver.pgp.com, but I don't know who runs it and with the
additional captcha software, no idea if that is compromised :P

It is announced using short keyids, not to be trusted, and no finger
prints although we can get those from the key used to sign this message
I guess.

$ gpg --list-sigs D87D436C
pub   4096R/D87D436C 2015-09-15
uid  John Young 15-0915 
sig  N   D87D436C 2015-09-15  John Young 15-0915 
sig  CA57AD7C 2015-09-15  [User ID not found]
sub   4096R/79F82F3B 2015-09-15
sig  D87D436C 2015-09-15  John Young 15-0915 

$ gpg --list-sigs 8CD47BD5
pub   4096R/8CD47BD5 2015-09-15
uid  Cryptome 15-0915 
sig  N   8CD47BD5 2015-09-15  Cryptome 15-0915 
sig  CA57AD7C 2015-09-15  [User ID not found]
sub   4096R/27BCF5FB 2015-09-15
sig  8CD47BD5 2015-09-15  Cryptome 15-0915 

The keys are both announced but not signed by each other?

I fetched CA57AD7C which has 6863 signatures on it. It seems to be some
PGP global directory key, signed by a few people I know, but still seems
to be only proof that it came from the keyserver, not that the key
actually belongs to you.


This message is signed by the first.


But is that first key signed by the old keys? (which of course could
also have been done by the attacker, so you need to re-start a web
of trust with some of your personal confidants.


-BEGIN PGP SIGNATURE-


from an unknown key - with no direct signatures of any known trustable
key run by a human.

Paul
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography