Ian G wrote:
But don't get me wrong - I am not saying that we should
carry out a world wide pogrom on SSL/PKI. What I am
saying is that once we accept that listening right now
is not an issue - not a threat that is being actively
dedended against - this allows us the wiggle room to
deploy that
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
|
| Ian G [EMAIL PROTECTED] writes:
| Perhaps you are unaware of it because no one has chosen to make you
| aware of it. However, sniffing is used quite frequently in cases where
| information is not properly protected. I've
Readers of this list may be interested in an analysis of the Witty
worm's spread by Kumark, Paxson, and Weaver. An article summarizing
the paper is at
http://www.zdnet.co.uk/print/?TYPE=storyAT=39200183-39020375t-1025c
A tentative conclusion is that the worm was probably written by an
On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote:
Ian G writes:
| In the end, the digital signature was just crypto
| candy...
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the
Amir Herzberg wrote:
Nicely put, but I think not quite fair. From friends in financial and
other companies in the states and otherwise, I hear that Trojans are
very common there as well. In fact, based on my biased judgement and
limited exposure, my impression is that security practice is much
[EMAIL PROTECTED] wrote:
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the lower the
probability that it is between strangers who have no
other leverage for recourse.
And, of course, proving
Heyman, Michael wrote:
Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.
i
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the lower the
probability that it is between strangers who have no
other leverage for recourse.
I think signatures are increasingly being used for
Ahh-oops! That particular reply was scrappily written
late at night and wasn't meant to be sent! Apologies
belatedly, I'd since actually come to the conclusion
that Steve's statement was strictly correct, in that
we won't ever *see* sniffing because SSL is in place,
whereas I interpreted this
ANNOUNCE: PureTLS version 0.9b5
Copyright (C) 1999-2005 Claymore Systems, Inc.
http://www.rtfm.com/puretls
DESCRIPTION
PureTLS is a free Java-only implementation of the SSLv3 and TLSv1
(RFC2246) protocols. PureTLS was developed by Eric Rescorla for
Claymore Systems, Inc, but is being distributed
On Thursday 02 June 2005 11:33, Birger Tödtmann wrote:
Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G:
[...]
For an example of the latter, look at Netcraft. This is
quite serious - they are putting out a tool that totally
bypasses PKI/SSL in securing browsing. Is it insecure?
On 5/31/05, Ian G [EMAIL PROTECTED] wrote:
I don't agree with your conclusion that hiding algorithms
is a requirement. I think there is a much better direction:
spread more algorithms. If everyone is using crypto then
how can that be relevant to the case?
This is so, in the ideal. But if
Heyman, Michael [EMAIL PROTECTED] writes:
The false positive I was referring to is the something is telling me
something unimportant positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible causes of
the certificate failure, specifically
Magnus Daum and myself have generated MD5-collisons for PostScript files:
http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/
This work is somewhat similar to the work from Mikle and Kaminsky, except
that our colliding files are not executables, but real documents.
We hope to
On Wednesday 01 June 2005 23:38, Anne Lynn Wheeler wrote:
in theory, the KISS part of SSL's countermeasure for MITM-attack ... is
does the URL you entered match the URL in the provided certificate. An
attack is inducing a fraudulent URL to be entered for which the
attackers have a valid
Adam Shostack wrote:
So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement,
--- begin forwarded text
Date: Thu, 2 Jun 2005 14:18:42 -0400
To: Philodox Clips List [EMAIL PROTECTED]
From: R.A. Hettinga [EMAIL PROTECTED]
Subject: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach
Bills
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
On Thursday 02 June 2005 19:28, R.A. Hettinga wrote:
http://www.eweek.com/print_article2/0,2533,a=153008,00.asp
Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
May 31, 2005
Just to make it more interesting, the AG of New York, Elliot Spitzer
has introduced a package of
Cell phone crypto aims to baffle eavesdroppers
By Munir Kotadia, ZDNet Australia
Published on ZDNet News: May 31, 2005, 4:10 PM PT
An Australian company last week launched a security tool for GSM mobile
phones that encrypts transmissions to avoid eavesdroppers.
GSM, or Global System for
--- begin forwarded text
Date: Thu, 2 Jun 2005 20:40:26 -0400
To: Philodox Clips List [EMAIL PROTECTED]
From: R.A. Hettinga [EMAIL PROTECTED]
Subject: [Clips] Paying Extra for Faster Airport Security
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Security needs identity like a fish
20 matches
Mail list logo