Re: [cryptography] Extended Random is extended to whom, exactly?
On 6/04/2014 05:46 am, coderman wrote: On Mon, Mar 31, 2014 at 3:33 PM, ianG i...@iang.org wrote: ... In some ways, this reminds me of the audit reports for compromised CAs. Once you know the compromise, you can often see the weakness in the report. are these public reports? such a collection of compromise reports would be informative. (if you've got a list :) They are published, typically. Audits are made available to the vendor community, and some vendors have taken the hint and insisted that they be posted and available for public scrutiny. However they are buried. Firstly, they are not collected in any particular one place. The best is probably Mozilla's list of audit reviews, in which you can follow the links of each post-for-review (and you get to comment on the post when it is play) but certainly until recently this list was not complete, many roots were grandfathered in. No other vendor reports on its ueber-CA activities that I know of, but sometimes the auditors' associations publish the reports (WebTrust had a very gappy list at one stage). Secondly, they use the internal language of audit, and one could be mistaken in assuming they are written to speak to other auditors, only. Thirdly they are full of audit-semantics. Together, these are unfortunately hard to distinguish from industrial grade CYA. Fourthly, they are commissioned by the CA, for the CA, of the CA, not for you, nor written with you in mind. There is a false expectation that the public can rely on auditor's reports, but this only applies to formal audit reports in a financial reporting context. Beyond that, it's ... open to question. So typically, you are not entitled to rely on an auditor's report, and while they'll accept you have that fallacious impression, you can be sure they'll fight it in court and win. Oh, and fifthly, they are dryer than a Mars rainfall survey. iang http://financialcryptography.com/mt/archives/001126.html Audit burial customs in 7 parts. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
On 4/6/2014 10:40, tpb-cry...@laposte.net wrote: Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. Source for this please? -- staticsafe ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
Message du 06/04/14 17:41 De : staticsafe On 4/6/2014 10:40, tpb-cry...@laposte.net wrote: Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. Source for this please? Is it so painful to do your own homework? Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in 2009.[1][2] They previously worked on Project Honey Pot. - http://en.wikipedia.org/wiki/CloudFlare [...] the project organizers also help various law enforcement agencies combat private and commercial unsolicited bulk mailing offenses and overall work to help reduce the amount of spam being sent [...] - http://en.wikipedia.org/wiki/Project_Honey_Pot That's just for starters, you can dig more and find more. It is interesting that the history of the founders themselves is no longer exhibited in cloudflare.com website as it was years ago. As an American company, there is nothing preventing Cloudflare from receiving NSLs and having to shut up about them. What use is a system that you can't trust like this? You can say oh, but they go after the bad guys, spammers. But that doesn't limit it to spammers neither do we know who are the so called bad guys, since that is decided by American secret laws, made by secret courts, that issue secret orders. No trust to American companies, less even trust to American companies that promise any kind of data security. Better no security than a false sense of it. Sorry. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Github Pages now supports SSL
oh dear. He helped the government combat crime and nuisance style offenses. Clearly in collusion. On Sun, Apr 6, 2014 at 12:20 PM, tpb-cry...@laposte.net wrote: Message du 06/04/14 17:41 De : staticsafe On 4/6/2014 10:40, tpb-cry...@laposte.net wrote: Message du 04/04/14 20:09 De : Eric Mill Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. Source for this please? Is it so painful to do your own homework? Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in 2009.[1][2] They previously worked on Project Honey Pot. - http://en.wikipedia.org/wiki/CloudFlare [...] the project organizers also help various law enforcement agencies combat private and commercial unsolicited bulk mailing offenses and overall work to help reduce the amount of spam being sent [...] - http://en.wikipedia.org/wiki/Project_Honey_Pot That's just for starters, you can dig more and find more. It is interesting that the history of the founders themselves is no longer exhibited in cloudflare.com website as it was years ago. As an American company, there is nothing preventing Cloudflare from receiving NSLs and having to shut up about them. What use is a system that you can't trust like this? You can say oh, but they go after the bad guys, spammers. But that doesn't limit it to spammers neither do we know who are the so called bad guys, since that is decided by American secret laws, made by secret courts, that issue secret orders. No trust to American companies, less even trust to American companies that promise any kind of data security. Better no security than a false sense of it. Sorry. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Extended Random is extended to whom, exactly?
On Sun, Apr 6, 2014 at 6:10 AM, ianG i...@iang.org wrote: ... They are published, typically... However they are buried... Firstly, they are not collected in any particular one place. Secondly, they use the internal language of audit... Thirdly they are full of audit-semantics... Fourthly, they are commissioned by the CA, for the CA, of the CA, not for you, nor written with you in mind Oh, and fifthly, they are dryer than a Mars rainfall survey... http://financialcryptography.com/mt/archives/001126.html Audit burial customs in 7 parts. thanks for this! it seems most things of interest require some reverse engineering, however, this is still a nice source of empirical observations... best regards, ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography