announcing Tahoe-LAFS v1.8.3, fixing a security issue
Dear People of the cryptography@randombit.net mailing list:
We found a vulnerability in Tahoe-LAFS (all versions from v1.3.0 to v1.8.2
inclusive) that might allow an attacker to delete files. This vulnerability
does not enable anyone to read f
Hi,
>> Yes, with the second operation offline and validating against the NSS
>> root store. I don't have a MS one at the moment, it would be interesting
>> (how do you extract that from Win? The EFF guys should know)
>
> You might look at https://www.eff.org/files/ssl-observatory-code-r1.tar_.bz2
On Tue, Sep 13, 2011 at 2:22 PM, Andy Steingruebl wrote:
> On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin
> wrote:
>
>> Furthermore,
>> they're probably right; most of the certificate errors I've
>> seen over the years were from ordinary carelessness or errors,
>> rather than an attack; click
On 2011-09-14 8:57 AM, Andy Steingruebl wrote:
This data, while interesting, doesn't tell us much about how often
users encounter those sites. I much prefer data instrumented from
actual web browsers, or network traffic.
I click OK reflexively. As far as I can tell everyone clicks OK
reflexi
On 2011-09-14 4:31 AM, Seth David Schoen wrote:
https://www.senate.gov/
which had a valid cert a while ago and then recently stopped.
A system that gives false negatives is worthless. It has to be
sufficiently reliable that it makes sense to deny access.
Of course, a system where one has t
On 13-09-2011 16:16, Ralph Holz wrote:
> Hi,
>
> I'm wondering about the use of MD5 in SSL MACs. We see that quite often
> here. What is your take on it?
>
> Given that SSL includes replay protection for its session keys, it does
> not seem to give an attacker any useful time window, but am I mis
On 9/13/2011 4:44 PM, Seth David Schoen wrote:
On the other hand, a similar phenomenon occurs in other
browsers with regard to intermediate CAs, because there's no way to
get a list of intermediate CAs before they are encountered in the wild,
and definitely no way to get an exhaustive list of a
Ralph Holz writes:
> Yes, with the second operation offline and validating against the NSS
> root store. I don't have a MS one at the moment, it would be interesting
> (how do you extract that from Win? The EFF guys should know)
You might look at https://www.eff.org/files/ssl-observatory-code-r1.
From: "Ralph Holz"
To: "Crypto discussion list"
Sent: Tuesday, September 13, 2011 7:14:39 PM
Subject: Re: [cryptography] Let's go back to the beginning on this
Hi,
HTTPS Everywhere makes users encounter this situation more than they
>>> otherwise might.
>>
>>> A week or three ago, I got ce
On Tue, Sep 13, 2011 at 4:09 PM, Ralph Holz wrote:
> Well, yes, but it is the Alexa Top 1 million list that is scanned. I can
> give you a few numbers for the Top 1K or so, too, but it does remain a
> relative "popularity".
How many of those sites ever "advertise" an HTTPS end-point though?
Mayb
Hi,
I'm wondering about the use of MD5 in SSL MACs. We see that quite often
here. What is your take on it?
Given that SSL includes replay protection for its session keys, it does
not seem to give an attacker any useful time window, but am I missing
something maybe?
Ralph
--
Dipl.-Inform. Ralph
Hi,
>>> HTTPS Everywhere makes users encounter this situation more than they
>>> otherwise might.
>>
>> A week or three ago, I got cert warnings - from gmail's page. (Yes, I'm
>> using HTTPS Everywhere).
>
> When _that_ happens, please tell Google and EFF. I'm sure both
> organizations would b
Hi,
> Interesting. Are you pulling the server-certs out of the SSL
> handshake and then checking if they validate against any browser
> store?
Yes, with the second operation offline and validating against the NSS
root store. I don't have a MS one at the moment, it would be interesting
(how do yo
On Tue, Sep 13, 2011 at 3:42 PM, Ralph Holz wrote:
>
> That said, I can see in our monitoring data that about 20-60% of
> certification chains are broken, and these are sites that people do
> access (it is passive monitoring data from a large regional ISP).
Interesting. Are you pulling the serve
Randall Webmail writes:
> From: "Seth David Schoen"
> To: "Crypto discussion list"
> Sent: Tuesday, September 13, 2011 2:31:59 PM
> Subject: Re: [cryptography] Let's go back to the beginning on this
>
> >HTTPS Everywhere makes users encounter this situation more than they
> >otherwise might.
>
From: "Seth David Schoen"
To: "Crypto discussion list"
Sent: Tuesday, September 13, 2011 2:31:59 PM
Subject: Re: [cryptography] Let's go back to the beginning on this
>HTTPS Everywhere makes users encounter this situation more than they
>otherwise might.
A week or three ago, I got cert warnings
Hi,
> Is anyone aware of any up-to-date data on this btw? I've had
> discussions with the browser makers and they have some data, but I
> wonder whether anyone else has any data at scale of how often users
> really do run into cert warnings these days. They used to be quite
> common, but other th
> An alternative to cross-certification called bridge CAs [ ],
> initially known as overseer CAs when they were developed
> for the Automotive Network Exchange (ANX) program and
> which were in turn based on even earlier pre-PKI work on
> inter-realm authentication [ ][ ][ ][ ], avoids this probl
On Sep 13, 2011, at 3:00 32PM, Paul Hoffman wrote:
> On Sep 13, 2011, at 11:57 AM, Steven Bellovin wrote:
>
>>> From personal experience -- I use https to read news.google.com; Firefox 6
>> on a Mac complains about wildcard certificates. And ietf.org's certificate
>> expired recently; it took a
On 09/13/2011 01:31 PM, Seth David Schoen wrote:
An example from yesterday was
https://www.senate.gov/
which had a valid cert a while ago and then recently stopped. (Their
HTTPS support was reported to us as working on June 29; according to
Perspectives, the most recent change apparently happe
On Sep 13, 2011, at 11:57 AM, Steven Bellovin wrote:
>> From personal experience -- I use https to read news.google.com; Firefox 6
> on a Mac complains about wildcard certificates. And ietf.org's certificate
> expired recently; it took a day or so to get a new one installed.
This last bit might
On Sep 13, 2011, at 2:22 28PM, Andy Steingruebl wrote:
> On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin
> wrote:
>
>> Furthermore,
>> they're probably right; most of the certificate errors I've
>> seen over the years were from ordinary carelessness or errors,
>> rather than an attack; click
Andy Steingruebl writes:
> They used to be quite common, but other than 1 or 2 sites I visit
> regularly that I know ave self-signed certs, I *never* run into cert
> warnings anymore. BTW, I'm excluding "mixed content" warnings from
> this for the moment because they are a different but related is
On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin wrote:
> Furthermore,
> they're probably right; most of the certificate errors I've
> seen over the years were from ordinary carelessness or errors,
> rather than an attack; clicking "OK" is *precisely* the right
> thing to do.
Is anyone aware of
On Sep 12, 2011, at 5:48 00PM, James A. Donald wrote:
>--
> On 2011-09-11 4:09 PM, Jon Callas wrote:
> > The bottom line is that there are places that continuity
> > works well -- phone calls are actually a good one. There
> > are places it doesn't. The SSL problem that Lucky has
> > talked a
On 13/09/2011, at 23:57, Jeffrey Walton wrote:
> On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald wrote:
>>--
>> On 2011-09-11 4:09 PM, Jon Callas wrote:
>>> The bottom line is that there are places that continuity
>>> works well -- phone calls are actually a good one. There
>>> are places
On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald wrote:
> --
> On 2011-09-11 4:09 PM, Jon Callas wrote:
>> The bottom line is that there are places that continuity
>> works well -- phone calls are actually a good one. There
>> are places it doesn't. The SSL problem that Lucky has
>> talked abou
--
On 2011-09-11 4:09 PM, Jon Callas wrote:
> The bottom line is that there are places that continuity
> works well -- phone calls are actually a good one. There
> are places it doesn't. The SSL problem that Lucky has
> talked about so well is a place where it doesn't. Amazon
> can't use conti
On Tue, Sep 13, 2011 at 12:36 PM, wrote:
>
> |
> | let's take just one of the above as an example: high-value monetary
> | transactions - the only item in the list that I am somewhat familiar
> | with.
> |
> | I can not think of a single scenario where the two parties that do
> | that, pre
|
| let's take just one of the above as an example: high-value monetary
| transactions - the only item in the list that I am somewhat familiar
| with.
|
| I can not think of a single scenario where the two parties that do
| that, prefer a trust chain that includes a third party for introd
On 12/09/11 19:12, Marsh Ray wrote:
On 09/12/2011 01:45 PM, M.R. wrote:
The system is not expected to protect individual
liberty, life or limb, nor is it expected to protect high-value
monetary transactions, intellectual property assets, state secrets
or critical civic infrastructure operations.
31 matches
Mail list logo