On 12/09/11 19:12, Marsh Ray wrote:
On 09/12/2011 01:45 PM, M.R. wrote:
The system is not expected to protect individual
liberty, life or limb, nor is it expected to protect high-value
monetary transactions, intellectual property assets, state secrets
or critical civic infrastructure
|
| let's take just one of the above as an example: high-value monetary
| transactions - the only item in the list that I am somewhat familiar
| with.
|
| I can not think of a single scenario where the two parties that do
| that, prefer a trust chain that includes a third party for
On Tue, Sep 13, 2011 at 12:36 PM, d...@geer.org wrote:
|
| let's take just one of the above as an example: high-value monetary
| transactions - the only item in the list that I am somewhat familiar
| with.
|
| I can not think of a single scenario where the two parties that do
|
--
On 2011-09-11 4:09 PM, Jon Callas wrote:
The bottom line is that there are places that continuity
works well -- phone calls are actually a good one. There
are places it doesn't. The SSL problem that Lucky has
talked about so well is a place where it doesn't. Amazon
can't use
On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald jam...@echeque.com wrote:
--
On 2011-09-11 4:09 PM, Jon Callas wrote:
The bottom line is that there are places that continuity
works well -- phone calls are actually a good one. There
are places it doesn't. The SSL problem that Lucky has
On 13/09/2011, at 23:57, Jeffrey Walton noloa...@gmail.com wrote:
On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald jam...@echeque.com wrote:
--
On 2011-09-11 4:09 PM, Jon Callas wrote:
The bottom line is that there are places that continuity
works well -- phone calls are actually a good
On Sep 12, 2011, at 5:48 00PM, James A. Donald wrote:
--
On 2011-09-11 4:09 PM, Jon Callas wrote:
The bottom line is that there are places that continuity
works well -- phone calls are actually a good one. There
are places it doesn't. The SSL problem that Lucky has
talked about so
On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin s...@cs.columbia.edu wrote:
Furthermore,
they're probably right; most of the certificate errors I've
seen over the years were from ordinary carelessness or errors,
rather than an attack; clicking OK is *precisely* the right
thing to do.
Is
Andy Steingruebl writes:
They used to be quite common, but other than 1 or 2 sites I visit
regularly that I know ave self-signed certs, I *never* run into cert
warnings anymore. BTW, I'm excluding mixed content warnings from
this for the moment because they are a different but related issue.
On Sep 13, 2011, at 2:22 28PM, Andy Steingruebl wrote:
On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin s...@cs.columbia.edu
wrote:
Furthermore,
they're probably right; most of the certificate errors I've
seen over the years were from ordinary carelessness or errors,
rather than an
On Sep 13, 2011, at 11:57 AM, Steven Bellovin wrote:
From personal experience -- I use https to read news.google.com; Firefox 6
on a Mac complains about wildcard certificates. And ietf.org's certificate
expired recently; it took a day or so to get a new one installed.
This last bit might be
On 09/13/2011 01:31 PM, Seth David Schoen wrote:
An example from yesterday was
https://www.senate.gov/
which had a valid cert a while ago and then recently stopped. (Their
HTTPS support was reported to us as working on June 29; according to
Perspectives, the most recent change apparently
On Sep 13, 2011, at 3:00 32PM, Paul Hoffman wrote:
On Sep 13, 2011, at 11:57 AM, Steven Bellovin wrote:
From personal experience -- I use https to read news.google.com; Firefox 6
on a Mac complains about wildcard certificates. And ietf.org's certificate
expired recently; it took a day or
Hi,
Is anyone aware of any up-to-date data on this btw? I've had
discussions with the browser makers and they have some data, but I
wonder whether anyone else has any data at scale of how often users
really do run into cert warnings these days. They used to be quite
common, but other than 1
From: Seth David Schoen sch...@eff.org
To: Crypto discussion list cryptography@randombit.net
Sent: Tuesday, September 13, 2011 2:31:59 PM
Subject: Re: [cryptography] Let's go back to the beginning on this
HTTPS Everywhere makes users encounter this situation more than they
otherwise might.
A
Randall Webmail writes:
From: Seth David Schoen sch...@eff.org
To: Crypto discussion list cryptography@randombit.net
Sent: Tuesday, September 13, 2011 2:31:59 PM
Subject: Re: [cryptography] Let's go back to the beginning on this
HTTPS Everywhere makes users encounter this situation more
Hi,
Interesting. Are you pulling the server-certs out of the SSL
handshake and then checking if they validate against any browser
store?
Yes, with the second operation offline and validating against the NSS
root store. I don't have a MS one at the moment, it would be interesting
(how do you
Hi,
HTTPS Everywhere makes users encounter this situation more than they
otherwise might.
A week or three ago, I got cert warnings - from gmail's page. (Yes, I'm
using HTTPS Everywhere).
When _that_ happens, please tell Google and EFF. I'm sure both
organizations would be fascinated.
Hi,
I'm wondering about the use of MD5 in SSL MACs. We see that quite often
here. What is your take on it?
Given that SSL includes replay protection for its session keys, it does
not seem to give an attacker any useful time window, but am I missing
something maybe?
Ralph
--
Dipl.-Inform.
On Tue, Sep 13, 2011 at 4:09 PM, Ralph Holz h...@net.in.tum.de wrote:
Well, yes, but it is the Alexa Top 1 million list that is scanned. I can
give you a few numbers for the Top 1K or so, too, but it does remain a
relative popularity.
How many of those sites ever advertise an HTTPS end-point
From: Ralph Holz h...@net.in.tum.de
To: Crypto discussion list cryptography@randombit.net
Sent: Tuesday, September 13, 2011 7:14:39 PM
Subject: Re: [cryptography] Let's go back to the beginning on this
Hi,
HTTPS Everywhere makes users encounter this situation more than they
otherwise might.
Ralph Holz writes:
Yes, with the second operation offline and validating against the NSS
root store. I don't have a MS one at the moment, it would be interesting
(how do you extract that from Win? The EFF guys should know)
You might look at
On 9/13/2011 4:44 PM, Seth David Schoen wrote:
On the other hand, a similar phenomenon occurs in other
browsers with regard to intermediate CAs, because there's no way to
get a list of intermediate CAs before they are encountered in the wild,
and definitely no way to get an exhaustive list of
On 13-09-2011 16:16, Ralph Holz wrote:
Hi,
I'm wondering about the use of MD5 in SSL MACs. We see that quite often
here. What is your take on it?
Given that SSL includes replay protection for its session keys, it does
not seem to give an attacker any useful time window, but am I missing
On 2011-09-14 4:31 AM, Seth David Schoen wrote:
https://www.senate.gov/
which had a valid cert a while ago and then recently stopped.
A system that gives false negatives is worthless. It has to be
sufficiently reliable that it makes sense to deny access.
Of course, a system where one has
25 matches
Mail list logo
