On Jul 2, 2013, at 2:59 PM, Ryan Sleevi wrote:
> On Tue, July 2, 2013 2:02 pm, Paul Hoffman wrote:
>> On Jul 2, 2013, at 1:52 PM, Ben Laurie wrote:
>>
>>> Alternatively, we stay in this world, clients expire sessions hourly,
>>> and we're all happy.
>>
>> Is this what most recent browsers do?
On Tue, July 2, 2013 2:02 pm, Paul Hoffman wrote:
> On Jul 2, 2013, at 1:52 PM, Ben Laurie wrote:
>
> > Alternatively, we stay in this world, clients expire sessions hourly,
> > and we're all happy.
>
> Is this what most recent browsers do? They expire their TLS sessions after
> an hour? That w
On Jul 2, 2013, at 1:52 PM, Ben Laurie wrote:
> Alternatively, we stay in this world, clients expire sessions hourly,
> and we're all happy.
Is this what most recent browsers do? They expire their TLS sessions after an
hour? That would be nice.
--Paul Hoffman
__
On 2 July 2013 16:07, Adam Back wrote:
> On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote:
>>
>> On 2 July 2013 11:25, Adam Back wrote:
>>>
>>> does it provide forward secrecy (via k' = H(k)?).
>>
>>
>> Resumed [SSL] sessions do not give forward secrecy. Sessions should be
>> expired re
On 2013-07-02, at 4:17 AM, aort...@alu.itba.edu.ar wrote:
>>> Given those shortcomings I think is not wise to recommend it unless your
>>> enemy doesn't have the resources of a country. That being said, it's the
>>> best tool at the moment, lights year ahead of other popular software
>>> like
>>>
On Tue, Jul 2, 2013 at 2:07 AM, ianG wrote:
> ... it only takes a few
> deviations to drift into crisis when power is large and concentrated.
the behemoth that is the current intelligence apparatus(es) is most
disturbing in this aspect; truly excessive concentration of power
unethical to operate
On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote:
On 2 July 2013 11:25, Adam Back wrote:
does it provide forward secrecy (via k' = H(k)?).
Resumed [SSL] sessions do not give forward secrecy. Sessions should be
expired regularly, therefore.
That seems like an SSL protocol bug no?
I think DANE will help with that. But that's blocked on having enough/easy
DNSSEC-capable registrars.
- Taral
On Jul 2, 2013 3:26 AM, "Adam Back" wrote:
>
> I think it time to deprecate non-https (and non-forward secret
> ciphersuites.) Compute power has moved on, session cacheing works,
> symm
aort...@alu.itba.edu.ar:
>>> The more interesting point is high vs low latency. I really like the
>>> idea of having a high-latency option in Tor. It would still need to
>>> have a lot of users to actually be useful, though. But it seems there
>>> are various protocols that would be ore high-latenc
ianG:
>> You can have privacy by using OTR and that's good in many situations, but
>> won't protect you from somebody with enough money to hire techs and put
>> some taps.
>
>
> The threat is always on the node, never on the wire...
>
It is both. DPI does not merely mean inspection and it hasn'
Michael Rogers:
> On 01/07/13 01:55, Jacob Appelbaum wrote:
>> It is also why we have multiple implementations as well. There is a
>> Java version of Tor that is nearly ready for release and it will
>> solve a number of the C implementation concerns and exchange them
>> for Java related concerns. T
Il 7/1/13 1:32 PM, Tom Ritter ha scritto:
I'm not saying GlobaLeaks+Tor is safe. I'm saying I think our current
remailer network is wildly unsafe. (Now what I think about fixing
it... that's a whole other story, for a whole other time.)
While it's outside the scope of GlobaLeaks to provide a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/07/13 01:55, Jacob Appelbaum wrote:
> It is also why we have multiple implementations as well. There is a
> Java version of Tor that is nearly ready for release and it will
> solve a number of the C implementation concerns and exchange them
> for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/06/13 20:32, Jacob Appelbaum wrote:
> Michael Rogers:
>> I'd love to see a revitalisation of remailer research, focussing
>> on unlinkability (which we know many people would benefit from)
>> rather than sender anonymity (which fewer people need,
Hello cryptographers,
We are excited to share that the Open Technology Fund (OTF) at Radio
Free Asia's (RFA) ongoing solicitation of concept notes is open and
receiving proposals. We seek to fund disruptive technology projects that
advance global Internet freedom and human rights online. If you ar
On 2 July 2013 11:25, Adam Back wrote:
> I think it time to deprecate non-https (and non-forward secret
> ciphersuites.) Compute power has moved on, session cacheing works,
> symmetric crypto is cheap.
>
> Btw did anyone get a handle on session resumption - does it provide forward
> secrecy (via
On 2/07/13 13:25 PM, Adam Back wrote:
I think it time to deprecate non-https (and non-forward secret
ciphersuites.) Compute power has moved on, session cacheing works,
symmetric crypto is cheap.
Good point -- anything that contributes to the "HTTPS Everywhere"
campaign is a good thing. As a
I think it time to deprecate non-https (and non-forward secret
ciphersuites.) Compute power has moved on, session cacheing works,
symmetric crypto is cheap.
Btw did anyone get a handle on session resumption - does it provide forward
secrecy (via k' = H(k)?). Otherwise I saw concerns a disk stor
BTNS (better than nothing security) for IPSec could save it.
There is precedent: the ideas behind SSH totally swept out
secure-telnet within a year or so. Skype demolished other VoIP
providers, because its keys were hidden. The same thing happened with
that email transport security system.
On 2/07/13 03:33 AM, mtm wrote:
as a spartan of sorts, and one thats shared laphroig with both a plank
member of the nsa and the creator of fbi's hrt, id like to say these
fellas are decent men and not petty.
I know a few of the older ones as well. They are indeed decent men, and
historically
On 2/07/13 11:17 AM, aort...@alu.itba.edu.ar wrote:
But I don't blame you. I don't think any real-time chat can ever be made
"safe" and by safe I mean anonymous, because of its low-latency nature.
On a tangent, I have often wanted high-latency chat because high-speed
chat is so damn disrupti
>> Given those shortcomings I think is not wise to recommend it unless your
>> enemy doesn't have the resources of a country. That being said, it's the
>> best tool at the moment, lights year ahead of other popular software
>> like
>> Cryptocat, whose end-point security should be considered not onl
>> The more interesting point is high vs low latency. I really like the
>> idea of having a high-latency option in Tor. It would still need to
>> have a lot of users to actually be useful, though. But it seems there
>> are various protocols that would be ore high-latency-friendly than
>> HTTP - SMT
> So then - what do you suggest to someone who wants to leak a document to
> a press agency that has a GlobaLeaks interface? What do you suggest to
> someone who wants to use a web email account that properly supports
> HTTPS? What do you suggest to someone who wants location privacy from
> their c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aloha!
On 2013-07-01 15:52 , Eugen Leitl wrote:
> On Sun, Jun 30, 2013 at 07:09:57PM -0700, Yosem Companys wrote:
>> Speaking of which...
>>
>> If you had an extra $2-3K to give to a liberationtech or crypto
>> project, who do you think would benefit
25 matches
Mail list logo
