On Nov 10, 2009, at 8:44 AM, Jerry Leichter wrote:
Whether or not it can, it demonstrates the hazards of freezing
implementations of crypto protocols into ROM: Imagine a world in
which there are a couple of hundred million ZTIC's or similar
devices fielded - and a significant vulnerabilit
On 11/8/09, Zooko Wilcox-O'Hearn wrote:
> Therefore I've been thinking about how to make Tahoe-LAFS robust against
> the possibility that SHA-256 will turn out to be insecure.
NIST are dealing with that via the AHS process. Shouldn't you just use
their results?
> We could use a different hash
|
| This is the first attack against TLS that I consider to be
| the real deal. To really fix it is going to require a change to
| all affected clients and servers. Fortunately, Eric Rescorla
| has a protocol extension that appears to do the job.
|
...silicon...
--dan
--
On Mon, Nov 9, 2009 at 5:08 PM, Victor Duchovni
wrote:
> attack, checking "Referrer" headers is no longer effective, so anti-CSRF
> defenses have to be more sophisticated (they *should* of course be more
Checking the Referer header never was effective. It's not even
guaranteed to be present, let