Tim Hudson t...@cryptsoft.com writes:
Does anyone recollect the history behind and the implications of the (open)
SSH choice of 35 as a hard-wired public exponent?
/* OpenSSH versions up to 5.4 (released in 2010) hardcoded e = 35, which is
both a suboptimal exponent (it's less efficient that
Phillip Hallam-Baker hal...@gmail.com writes:
Quick question, anyone got a good scheme for key stretching?
http://lmgtfy.com/?q=hkdfl=1
Peter :-).
___
The cryptography mailing list
cryptography@metzdowd.com
Watson Ladd watsonbl...@gmail.com writes:
The obvious solution: Do it right the first time.
And how do you know that you're doing it right? PGP in 1992 adopted a
bleeding-edge cipher (IDEA) and was incredibly lucky that it's stayed secure
since then. What new cipher introduced up until 1992
Given the recent debate about security levels for different key sizes, the
following paper by Lenstra, Kleinjung, and Thome may be of interest:
Universal security from bits and mips to pools, lakes and beyond
http://eprint.iacr.org/2013/635.pdf
From now on I think anyone who wants to argue
d...@geer.org writes:
The (U.S.) medical records system that started at the Veterans'
Administration and has now spread to all but all parts of the U.S. Federal
government that handle electronic health records is ASCII encoded, and
readable. Called The Blue Button,[1] there is even an HL7-Blue
Jerry Leichter leich...@lrw.com writes:
My favorite more recent example of the pitfalls is TL1, a language and
protocol used to managed high-end telecom equipment. TL1 has a completely
rigorous syntax definition, but is supposed to be readable.
For those not familiar with TL1, supposed to be
Phillip Hallam-Baker hal...@gmail.com writes:
Quite, who on earth thought DER encoding was necessary or anything other than
incredible stupidity?
At least some X.500/LDAP folks thought they could do it. Mind you, we're
talking about people who believe in X.500/LDAP here...
Peter.
=?iso-8859-1?Q?Kristian_Gj=F8steen?= kristian.gjost...@math.ntnu.no writes:
(For what it's worth, I discounted the press reports about a trapdoor in
Dual-EC-DRBG because I didn't think anyone would be daft enough to use it. I
was wrong.)
+1. It's the Vinny Gambini effect (from the film My
ianG i...@iang.org writes:
Well, defaults being defaults, we can assume most people have left it in
default mode. I suppose we could ask for research on this question, but I'm
going to guess: most.
âSoftware Defaults as De Facto Regulation: The Case of Wireless APsâ, Rajiv
Shah and
Adam Back a...@cypherspace.org writes:
Is there a possibility with RSA-RSA ciphersuite to have a certified RSA
signing key, but that key is used to sign an RS key negotiation?
Yes, but not in the way you want. This is what the 1990s-vintage RSA export
ciphersuites did, but they were designed so
Stephen Farrell stephen.farr...@cs.tcd.ie writes:
That's a mischaracterisation I think. Some folks (incl. me) have said that
1024 DHE is arguably better that no PFS and if current deployments mean we
can't ubiquitously do better, then we should recommend that as an option,
while at the same time
Peter Fairbrother zenadsl6...@zen.co.uk writes:
On 24/09/13 05:27, Peter Gutmann wrote:
Peter Fairbrother zenadsl6...@zen.co.uk writes:
If you just want a down-and-dirty 2048-bit FS solution which will work
today,
why not just have the websites sign a new RSA-2048 sub-certificate every
day
Patrick Pelletier c...@funwithsoftware.org writes:
I'm inclined to agree with you, but you might be interested/horrified in the
1024 bits is enough for anyone debate currently unfolding on the TLS list:
That's rather misrepresenting the situation. It's a debate between two
groups, the security
Peter Fairbrother zenadsl6...@zen.co.uk writes:
If you just want a down-and-dirty 2048-bit FS solution which will work today,
why not just have the websites sign a new RSA-2048 sub-certificate every day?
Or every few hours? And delete the secret key, of course.
... and I guess that puts you
Walter van Holst walter.van.ho...@xs4all.nl writes:
These are not rights that are solely vested in the exceptional Americans. The
Bill of Tights [...]
For people unfamiliar with this one, it's the bit that reads:
Congress shall make no law respecting the wearing of hosiery, or prohibiting
Tony Arcieri basc...@gmail.com writes:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz fra...@pwpconsult.com wrote:
After Rijndael was selected as AES, someone suggested the really paranoid
should super encrypt with all 5 finalests in the competition. Five level
super encryption is probably
zooko zo...@zooko.com writes:
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin
were stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
Was that the change that was required by FIPS 140, or a different
Dave Horsfall d...@horsfall.org writes:
Given that there is One True Source of randomness to wit radioactive
emission, has anyone considered playing with old smoke detectors?
The ionising types are being phased out in favour of optical (at least in
Australia) so there must be heaps of them lying
Ben Laurie b...@links.org writes:
We need to get an extension number allocated, since the one it uses clashes
with ALPN.
It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10 anywhere.
(In any case -encrypt-then-MAC got there first, these Johnny-come-lately's can
find their own
Phillip Hallam-Baker hal...@gmail.com writes:
People buy guns despite statistics that show that they are orders of
magnitude more likely to be shot with the gun themselves rather than by an
attacker.
Some years ago NZ abolished its offensive (fighter) air force (the choice was
either to buy
Jeffrey I. Schiller j...@mit.edu writes:
If I was the NSA, I would be scavenging broken hardware from âinterestingâ
venues and purchasing computers for sale in interesting locations. I would be
particularly interested in stolen computers, as they have likely not been
wiped.
Just buy
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
I've followed that list for a while. What I find weird is that there should
be much dissent at all. This is about increasing security based on adding
quite well-understood mechanisms. What's to be so opposed to there?
There wasn't really much
ianG i...@iang.org writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
Peter.
___
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
But for right now, what options do we have that are actually implemented
somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST,
etc.), and I don't see any move towards TLS 1.0.
John Denker j...@av8n.com writes:
To say the same thing the other way, I was always amazed that the Nazis were
unable to figure out that their crypto was broken during WWII. There were
experiments they could have done, such as sending out a few U-boats under
strict radio silence and comparing
Perry E. Metzger pe...@piermont.com writes:
I would like to open the floor to *informed speculation* about BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless
you get everything absolutely
Perry E. Metzger pe...@piermont.com writes:
I can think of no circumstances where I would voluntarily use LDAP as the
solution to any problem of any sort.
Our direct competitor has asked us to recommend a technology for whatever it
is that LDAP is meant to be the solution for. What should we
[Apparently a pile of my mail got dropped, the following few messages are
re-sends]
The Doctor dr...@virtadpt.net writes:
It might be a reasonable way of protecting PGP key information in DNS records
so that someone doesn't try inserting their own when it's looked up.
And that's the problem
John Kelsey crypto@gmail.com writes:
If I had to bet, I'd bet on bad rngs as the most likely source of a
breakthrough in decrypting lots of encrypted traffic from different sources.
If I had to bet, I'd bet on anything but the crypto. Why attack when you can
bypass [1].
Peter.
[1] From
Phillip Hallam-Baker hal...@gmail.com writes:
To backup the key we tell the device to print out the escrow data on paper.
Let us imagine that there there is a single sheet of paper which is cut into
six parts as follows:
You read my mind :-). I suggested more or less this to a commercial
Perry E. Metzger pe...@piermont.com writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because it isn't important to
the user experience or adds minuscule delays to an initial connection or
whatever should be viewed with
Jon Callas j...@callas.org writes:
My opinion about GCM and GMAC has not changed. I've never been a fan.
Same here. AES is, as far as we know, pretty secure, so any problems are
going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid
as you can get. AES-GCM is a design or
Jon Callas j...@callas.org writes:
How do you feel (heh, I typoed that as feal) about the other AEAD modes?
If it's not a stream cipher and doesn't fail catastrophically with IV reuse
then it's probably as good as any other mode. Problem is that at the moment
modes like AES-CTR are being
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
There is a host of older literature, too - P2P research, however, has become
a cold topic. Although I expect that it will see a revival in the face of
surveillance.
For people who are interested, the list I have (for a year or two back) is:
Before people get too far into conspiracy theories with this, I should point
out that health certificates have been part of corporate Windows environments
for years (I don't know how many exactly, I think it's been since at least
Server 2003). The intent of health certs is that it allows the IT
Victor Duchovni victor.ducho...@morganstanley.com writes:
What are EE certs, did you mean EV?
End-entity certs, i.e. non-CA certs. This means that potentially after the
end of this year and definitely after 2013 it will not be possible to use any
key shorted than 2048 bits with Firefox.
Thierry Moreau thierry.mor...@connotech.com writes:
The PUDEC (Practical Use of Dice for Entropy Collection) scheme has been
advanced. The new web page is at http://pudec.connotech.com
Plus the PUDEC dice sets are now offered for sale.
Hmm, they're somewhat expensive... a cheaper alternative,
Matt Crawford craw...@fnal.gov writes:
EE = End Entity, but I don't read the first sentence the way Peter did.
As I mentioned in my previous followup, it's badly worded, but the intent is
to ban any keys 2K bits of any kind (currently with evolving weasel-words
about letting CAs certify them
From https://wiki.mozilla.org/CA:MD5and1024:
December 31, 2010 - CAs should stop issuing intermediate and end-entity
certificates from roots with RSA key sizes smaller than 2048 bits [0]. All
CAs should stop issuing intermediate and end-entity certificates with RSA
key size smaller than
Jerry Leichter leich...@lrw.com writes:
By the way, the don't acknowledge whether it was the login ID or the
password that was wrong example is one of those things everyone knows -
along with change your password frequently - that have long passed their
use by date.
You got there before I did
From the ukcrypto mailing list:
Just had a new Lloyds credit card delivered, it had a sticker saying I have
to call a number to activate it. I call, it's an automated system.
It asks for the card number, fair enough. It asks for the expiry date, well
maybe, It asks for my DOB, the only
Brian Holyfield has created another implementation of the padding oracle
exploitation tool first described by Juliano Rizzo and Thai Duong, as well as
providing a step-by-step, easy-to-understand explanation of how the attack
works, you can find it at:
Tom Ritter t...@ritter.vg writes:
What's weird is I find confusing literature about what *is* the default for
protecting the viewstate.
I still haven't seen the paper/slides from the talk so it's a bit hard to
comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
(for
Some more amusing anecdotes from the world of PKI:
- A standard type of fraud that's been around for awhile is for scammers to
set up an online presence for a legit offline business, which appears to
check out when someone tries to verify it. A more recent variation on this
is to buy certs
Perry E. Metzger pe...@piermont.com writes:
One wonders what security model indicated 4096 bits is the ideal length
The one that says that if you wind things up past 11 (4096 bits), various
things break.
(D'you really think they applied any kind of security analysis to the choice
of key
John Gilmore g...@toad.com writes:
Let me guess -- to run anything but Windows, you'll soon have to jailbreak
even laptops and desktop PC's?
Naah, we're perfectly safe, like every other similar attempt after 5-10 years
of effort and several hundred million dollars down the drain it'll come to
Perry E. Metzger pe...@piermont.com forwards:
Authorities investigating the 2008 crash of Spanair flight 5022
have discovered a central computer system used to monitor technical
problems in the aircraft was infected with malware
Ray Dillinger b...@sonic.net writes:
On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:
The big drawback is that those who want to follow NIST's recommendations
to migrate to 2048-bit keys will be returning to the 2005-era overhead.
Either way, that's back in line with the
As part of a thread on another list, I noticed that Bank of America, who until
recently didn't bother protecting the page where users are expected to enter
their credentials with anything more substantial than a GIF of a padlock, now
finally use HTTPS on their home page, and redirect HTTP to HTTPS
Thor Lancelot Simon t...@rek.tjls.com writes:
If you want to see a PKI tragedy in the making, have a look at the CRLs used
by the US DoD.
Only in the making?
Actually it's all relative, in Japan the Docomo folks turned off CRLs because
they found that even a relatively modest CRL (not just the
David-Sarah Hopwood david-sa...@jacaranda.org writes:
Huh? I don't understand the argument being made here.
It's a bogus argument, the text says:
He took a legitimate software package and removed the signature of the
digital certificate it contained, then installed the package on his
Jon Callas j...@callas.org writes:
But S.J. Perleman's Three Shares in a Boat
Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat.
He followed it up with Three Certificates on the Bummel, a reference to the
sharing of commercial vendors' code-signing keys with malware
I've been having an off-list discussion with someone about how you'd prevent
the recent Realtek/JMicron certificate fiasco. My thoughts on this:
Since many development shops see the signing process as nothing more than an
annoying speed-bump that stands in the way of application deployment,
I recently came across an example of a file-hiding rootkit for Windows that's
used for good instead of evil: It's a minifilter that hides (or at least
blocks, the files are still visible) access to executables on removable media,
with user-configurable options to block autorun.inf and/or all
Jerry Leichter leich...@lrw.com writes:
One could certainly screw up the design of a recovery system, but one
would have to try. There really ought not be that much of difference
between recovering from m pieces and recovering from one.
There's a *huge* difference, see my previous posting
Jerry Leichter leich...@lrw.com writes:
Here's how I would do it: Key segments are stored on USB sticks. There's a
spot on the device with m USB slots, two buttons, and red and green LED's.
You put your USB keys into the slots and push the first button. If the red
LED lights - you don't have
Thierry Moreau thierry.mor...@connotech.com writes:
With the next key generation for DNS root KSK signature key, ICANN may have
an opportunity to improve their procedure.
What they do will really depend on what their threat model is. I suspect that
in this case their single biggest threat was
Apparently the DNS root key is protected by what sounds like a five-of-seven
threshold scheme, but the description is a bit unclear. Does anyone know
more?
(Oh, and for people who want to quibble over practically-deployed, I'm not
aware of any real usage of threshold schemes for anything, at
Perry E. Metzger pe...@piermont.com writes:
Inspired by recent discussion, these are my theses, which I hereby nail upon
the virtual church door:
Are we allowed to play peanut gallery for this?
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed
Paul Tiemann paul.tiemann.use...@gmail.com writes:
What if... Firefox (or other) could introduce a big new feature (safety
controls) and ask you up front: Do you want to be safer on the internet?
The problem is that neither the browser vendor nor the users will see it like
this. For the user
Steven Bellovin s...@cs.columbia.edu writes:
When I look at this, though, little of the problem is inherent to PKI.
Rather, there are faulty communications paths.
Oh no my Lord, I assure you that parts of it are excellent! :-).
[...] how should the CA or Realtek know about the problem? [...]
Ben Laurie b...@links.org writes:
On 24/07/2010 18:55, Peter Gutmann wrote:
- PKI dogma doesn't even consider availability issues but expects the
straightforward execution of the condition problem - revoke cert. For a
situation like this, particularly if the cert was used to sign 64-bit
Ben Laurie b...@links.org writes:
I find your response strange. You ask how we might fix the problems, then you
respond that since the world doesn't work that way right now, the fixes won't
work. Is this just an exercise in one-upmanship? You know more ways the world
is broken than I do?
It's
Steven Bellovin s...@cs.columbia.edu writes:
For the last issue, I'd note that using pki instead of PKI (i.e., many
different per-realm roots, authorization certificates rather than identity
certificates, etc.) doesn't help: Realtek et al. still have no better way or
better incentive to revoke
Paul Tiemann paul.tiemann.use...@gmail.com writes:
I like the idea of SSL pinning, but could it be improved if statistics were
kept long-term (how many times I've visited this site and how many times it's
had certificate X, but today it has certificate Y from a different issuer and
certificate
Nicolas Williams nicolas.willi...@oracle.com writes:
Exactly. OCSP can work in that manner. CRLs cannot.
OCSP only appears to work in that manner. Since OCSP was designed to be 100%
bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and
not an OCSP. Specifically, if
Nicolas Williams nicolas.willi...@oracle.com writes:
Sorry, but this is wrong. The OCSP protocol itself really is an online
certificate status protocol.
It's not an online certificate status protocol because it can provide neither
a yes or a no response to a query about the validity of a
Paul Tiemann paul.tiemann.use...@gmail.com writes:
[...]
This is kind of a long message to reply to so I'll just post a meta-reply to
avoid getting bogged down in nitpicking, the message, as the subject line
indicated, was intended to start a discussion on some of the weaknesses
inherent in the
Ian G i...@iang.org writes:
** But talking about TLS/SNI to SSL suppliers is like talking about the
lifeboats on the Titanic ... we don't need it because SSL is unsinkable.
... or talking to PKI standards groups about adding a CRL reason code for
certificate issued in error (e.g. to an
Have you ever wondered what would happen if malware started appearing that was
authenticated by signing keys belonging to major hardware or software vendors?
Over the last week or two we've had a chance to find out:
One of the scariest scenarios for code signing is when the malware authors
manage
From an off-list discussion: Can someone who knows more about how these CDNs
handle certs provide a brief summary for the list? From looking at Sybil
certs grabbed from a few CDN sites there doesn't seem to be any rhyme or
reason to them. Also, how and under what conditions can you get access to
Looks like the CDN certificate is already causing security problems, although
not the kind that I was expecting:
While trying to import a server certificate for a CDN service, a segv bug
was found in [PKI app]. It is likely that this bug is exploitable by
sending a special crafted signed
Readers are cordially invited to go to https://edgecastcdn.net and have a look
at the subjectAltName extension in the certificate that it presents. An
extract is shown at the end of this message, this is just one example of many
like it. I'm not picking on Edgecast specifically, I just used
Paul Wouters p...@xelerance.com writes:
Which is what you should do anyway, in case of a hardware failure. I know the
Linux intel-rng and amd-rng used to produce nice series of zeros.
Do you have any more details on this? Was it a hardware problem, software
problem, ...? How was it caught?
Christian Collberg collb...@gmail.com writes:
I don't know if the new crack reveals anything new. We have a writeup about
the Skype protection techniques in Surreptitious Software, our book on
security-through-obscurity. (Sorry for the blatant self-promotion).
No need to apologise, it's a damn
Ben Laurie b...@google.com writes:
On 2 July 2010 13:19, Eugen Leitl eu...@leitl.org wrote:
http://www.technologyreview.com/printer_friendly_article.aspx?id=25670channel=Briefingssection=Microprocessors
Tuesday, June 29, 2010
Nanoscale Random Number Circuit to Secure Future Chips
Intel unveils
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
CTR mode seems a better choice here. Without getting too technical, security
of CTR mode holds as long as the IVs used are fresh whereas security of CBC
mode requires IVs to be random.
Unfortunately CTR mode, being a stream cipher, fails
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
CTR mode seems a better choice here. Without getting too technical, security
of CTR mode holds as long as the IVs used are fresh whereas security of CBC
mode requires IVs to be random.
Unfortunately CTR mode, being a stream cipher, fails
GPS tracking units that you can fit to your car to track where your kids are
taking it (or *cough* other purposes) have been around for awhile now. It's
interesting to see that recently the sorts of places that'll sell you card
skimmers and RFID cloners have started selling miniature GPS jammers
Nicolas Williams nicolas.willi...@sun.com writes:
I made much the same point, but just so we're clear, SSHv2 re-keying has been
interoperating widely since 2005. (I was at Connectathon, and while the
details of Cthon testing are proprietary, I can generalize and tell you that
interop in this
There have been numerous posts to this list about banks phishing their own
users so I figured I'd start a new thread about other companies who are
potential phishing-targets doing this as well, in this case a phone company.
From the fraud-alert support forum of Vodafone:
There's been a near-neverending debate about who should be responsible for
improving online banking security measures: the users, the banks, the
government, the OS vendor, ... . Here's an interesting perspective from Peter
Benson peter.ben...@codescan.com, reposted with permission, on why the
John Levine jo...@iecc.com writes:
I told him about an approach to use a security dongle that puts the display
and confirmation outside the range of the malware, and although I thought it
was fairly obvious, he'd apparently never heard it before.
Some general thoughts on this, there have been
A Canadian company called SmartSwipe has come up with an interesting way to
protect credit card numbers from most man-in-the-browser attacks. What they
do is install a Windows CSP (cryptographic service provider) that acts as a
proxy to an external mag-stripe reader with built-in crypto
Brian Warner war...@lothar.com writes:
From what I can tell, the Sparkle update framework (for OS-X)[1] is doing
something like what I want for firefox: the Sparkle-enabled application will
only accept update bundles which are signed by a DSA privkey that matches a
pubkey embedded in the app.
Kevin W. Wall kevin.w.w...@gmail.com writes:
(Obviously some of these padding schemes such as OAEP are not suitable with
symmetric ciphers. Or at least I don't think they are.)
You'd be surprised at what JCE developers will implement just because they
can, and what therefore gets used by
David Wagner d...@cs.berkeley.edu writes:
(You could replace AES-CMAC with SHA1-HMAC, but why would you want to?)
The answer to that depends on whether you need to support an existing base of
crypto software and hardware. Even though (in this case) it's a new standard,
it still requires support
Damien Miller d...@mindrot.org writes:
The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I
don't think OpenSSL even supports a CTR mode through its EVP API.
I first saw it reported on the Putty bugs list [0], a good place to track
interop problems with implementations since
David Johnston d...@deadhat.com writes:
Convincing yourself that you have implemented AES-CTR correctly usually
involves first checking that your AES-ECB is correct, then putting the output
of you counter construction into some other known good AES-CTR implementation
and comparing the results
Ian G i...@systemics.com writes:
If one is trying to solve the whole thing, then using the much-commented
secure-bookmarks model would do this. Within the secure bookmark, record the
user's certificate and cache enough info on the server's cert to deal with
replacements (like, cert, name, CA).
Thor Lancelot Simon t...@rek.tjls.com writes:
I think we're largely talking past one another. As regards new horrible
problems I meant simply that if there _are_ new horrible problems_ such
that we need to switch away from SHA1 in the TLS PRF, the design mistakes
made in TLS 1.1 will make it
Steven Bellovin s...@cs.columbia.edu writes:
This returns us to the previously-unsolved UI problem: how -- with today's
users, and with something more or less like today's browsers since that's
what today's users know -- can a spoof-proof password prompt be presented?
Good enough to satisfy
James A. Donald jam...@echeque.com writes:
I cannot see how you could create a bank web page without a web application
framework (counting mod-php as a very primitive web application framework)
and scripting and a database, which scripting and database has to know who it
is is that logged in
We
James A. Donald jam...@echeque.com writes:
[Incredibly complicated description of web scripting plumbing deleted]
We seem to be talking about competely different things here. For a typical
application, say online banking, I connect to my bank at www.bank.com or
whatever, the browser requests my
James A. Donald jam...@echeque.com writes:
For password-authenticated key agreement such as TLS-SRP or TLS-PSK to work,
login has to be in the chrome.
Sure, but that's a relatively tractable UI problem (and see the comment below
on Camino). Certificates on the other hand are an apparently
James A. Donald jam...@echeque.com writes:
This, however, requires both client UI software, and an api to server side
scripts such as PHP, Perl, or Python (the P in LAMP). On the server side, we
need a request object in the script language that tells the script that this
request comes from an
Ben Laurie b...@google.com writes:
So, I've heard many complaints over the years about how the UI for
client certificates sucks. Now's your chance to fix that problem -
we're in the process of thinking about new client cert UI for Chrome,
and welcome any input you might have. Obviously
Arshad Noor arshad.n...@strongauth.com writes:
If you (or anyone on this forum) know of technology that allows the
application to gain access to the crypto-hardware after an unattended reboot
- but can prevent an attacker from gaining access to those keys after
compromising a legitimate ID on the
Jon Callas j...@callas.org writes:
Okay, password-protected files would get it, too. I won't ask why you're
sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy
Perry E. Metzger pe...@piermont.com writes:
This highlights an unfortunate instance of monoculture -- nearly everyone on
the internet uses Flash for nearly all the video they watch, so just about
everyone in the world is using a binary module from a single vendor day in,
day out.
There are quite
1 - 100 of 466 matches
Mail list logo
