[I prefer to keep discussions on-list where possible. CCing the list.]
Beryllium Sphere LLC wrote:
> Bruce Schneier pointed out years ago that it's trivial for a virus
> or Trojan to add a new trusted CA to the browser's list of trusted
> roots. At least one "advertising support web ac
re:
http://www.garlic.com/~lynn/aadsm26.htm#26 man in the middle, SSL
basically digital certificates were designed as the electronic equivalent for offline distribution of information ... paradigm left over from the letters of credit and letters of introduction out of the sailing ship days (and e
James Muir wrote:
> I was reading a hacking blog today and came across this:
>
> http://www.darknet.org.uk/2007/02/odysseus-win32-proxy-telemachus-http-transaction-analysis/
>
>
>> Odysseus is a proxy server, which acts as a man-in-the-middle during
>> an HTTP session. A typical HTTP proxy will
James Muir wrote:
It is my understanding that SSL is engineered to resist mitm attacks, so
I am suspicious of these claims. I wondered if someone more familiar
with SSL/TLS could comment.
Isn't in the case that the application doing SSL on the client should
detect what this proxy server is d
Am Freitag, den 02.02.2007, 16:15 -0500 schrieb James Muir:
> > You can find more and download Odysseus here:
> >
> > http://www.bindshell.net/tools/odysseus
>
> It is my understanding that SSL is engineered to resist mitm attacks,
> so
> I am suspicious of these claims. I wondered if someone m
James Muir wrote:
> It is my understanding that SSL is engineered to resist mitm attacks, so
> I am suspicious of these claims. I wondered if someone more familiar
> with SSL/TLS could comment.
> Isn't in the case that the application doing SSL on the client should
> detect what this proxy server
Alcatel-Lucent are planning to release a PCMCIA for mobile workers
that can be accessed by IT Management even if the laptop is turned of.
See more details and discussion at:
http://www.xml-dev.com/lurker/message/20070201.174735.f19eca6b.en.html
or
http://tinyurl.com/2gbxb8
The can encrypt the HD
I was reading a hacking blog today and came across this:
http://www.darknet.org.uk/2007/02/odysseus-win32-proxy-telemachus-http-transaction-analysis/
Odysseus is a proxy server, which acts as a man-in-the-middle during
an HTTP session. A typical HTTP proxy will relay packets to and from
a cl
The social aspects of ease-of-use versus security are well-known.
People would rather use something that works than something that
is secure but hard to use. Ease-of-use trumps risks.
What is less recognized, even though it seems intuitive, is that
convenience (even though costlier and harder to u
Hey, quick question.
If one wants to have multiple keys, but for ease-of-use considerations
want to only have the user enter one, is there a preferred way to
derive multiple keys that, while not independent, are "computationally
independent"?
I was thinking of hashing the passphrase with a unique
Victor Duchovni wrote:
> On Sun, Jan 28, 2007 at 12:47:18PM -0500, Thor Lancelot Simon wrote:
>
> > That doesn't make sense to me -- the end-of-chain (server or client)
> > certificate won't be signed by _both_ the old and new root,
> I wouldn't
> > think (does x.509 even make this possible)?
> >
Travis H. wrote:
So I was reading this:
http://en.wikipedia.org/wiki/Merkle-Damgard
It seems to me the length-extension attack (given one collision, it's
easy to create others) is not the only one, though it's obviously a
big concern to those who rely on it.
This attack thanks to Schneier:
If
Bill Stewart wrote:
>Salt is designed to address a couple of threats
>- Pre-computing password dictionaries for attacking wimpy passwords
>...
Yes indeed. The rainbow-tables style attacks are important to protect
against, and a salt does the trick. This is why you can find rainbow tables
for Lan
I am not convinced that we need intuitive cryptography.
Many things in life are not understood by the general public.
How does a car really work: most people don't know but they still drive one.
How does a microwave oven work?
People don't need to understand the details, but the high level conce
On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:
> Victor Duchovni <[EMAIL PROTECTED]> writes:
>
> >What I don't understand is how the old (finally expired) root helps to
> >validate the new unexpired root, when a verifier has the old root and the
> >server presents the new root in
Victor Duchovni <[EMAIL PROTECTED]> writes:
>What I don't understand is how the old (finally expired) root helps to
>validate the new unexpired root, when a verifier has the old root and the
>server presents the new root in its trust chain.
You use the key in the old root to validate the self-sig
| > |
| > | ...There's an obvious cryptographic solution, of course: publish the
| > | hash of any such documents. Practically speaking, it's useless.
| > | Apart from having to explain hash functions to lawyers, judges,
| > | members of Congress, editorial page writers, bloggers, and talk
| > |
On Jan 30, 2007, at 16:41, Steven M. Bellovin wrote:
On Tue, 30 Jan 2007 16:10:47 -0500 (EST)
"Leichter, Jerry" <[EMAIL PROTECTED]> wrote:
|
| ...There's an obvious cryptographic solution, of course: publish
the
| hash of any such documents. Practically speaking, it's useless.
| Apart
On Tue, 30 Jan 2007 16:10:47 -0500 (EST)
"Leichter, Jerry" <[EMAIL PROTECTED]> wrote:
>
> |
> | ...There's an obvious cryptographic solution, of course: publish the
> | hash of any such documents. Practically speaking, it's useless.
> | Apart from having to explain hash functions to lawyers, ju
| ...I agree with you about intuitive cryptography. What you're
| complaining about is, in effect, "Why Johnny Can't Hash". There was
| another instance of that in today's NY Times. In one of the court
| cases stemming from the warrantless wiretapping, the Justice
| Department is, in the holy na
On Fri, Jan 26, 2007 at 05:58:16PM -0500, Matt Blaze wrote:
*
* It occurs to me that the lack of secure, practical crypto primitives and
* protocols that are intuitively clear to ordinary people may be why
* cryptography has had so little impact on an even more important problem
* than psychic deb
Original Message
Subject: Physics News Update 810
PHYSICS NEWS UPDATE
The American Institute of Physics Bulletin of Physics News
Number 810 30 January 2007 by Phillip F. Schewe, Ben Stein, Turner
Brinton, and Davide Castelvecchi www.aip.org/pnu
[...]
CH
See Section 3.3 of Coron, Dodis, Malinaud and Puniya's "A New Design
Criteria for Hash-Functions". They address this and several other
problems with the M-D construction in this paper submitted to the 2005
NIST Hash Workshop. (http://cs.nyu.edu/~puniya/papers/nist.pdf)
Jeremy
> -Original Mess
Travis H. wrote:
On Wed, Jan 24, 2007 at 03:28:50PM -0800, Allen wrote:
If 4 gigs is right, would it then be records to look for to break
the code via birthday attacks would be things like seismic data,
In case anyone else couldn't parse this, he means "the amount of
encrypted material neces
John Gilmore wrote:
http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html
IBM donates new privacy tool to open-source
By Joris Evers
Staff Writer, CNET News.com
Published: January 25, 2007, 9:00 PM PST
...
For example, when making a purchase online, b
On Sun, 28 Jan 2007, Steven M. Bellovin wrote:
> Beyond that, 60K doesn't make that much of a difference even with a
> traditional /etc/passwd file -- it's only an average factor of 15
> reduction in the attacker's workload. While that's not trivial, it's
> also less than, say, a one-character in
26 matches
Mail list logo