Hi,
Any model that offers a security feature to a trivially tiny minority,
to the expense of the dominant majority, is daft. The logical
conclusion of 1.5 decades worth of experience with centralised root
lists is that we, in the aggregate, may as well trust Microsoft and the
other root
Hi,
The most common security breach is probably that a government or
powerful private group launches a man in the middle attack. Are CAs
going to report that? Seems unlikely.
The key word in your sentence is probably. Just how much is that?
I'm not saying I'm not with you in the general
probably still have to disable password access.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
www.bloemendaal.nl
(29 rows)
[1] We'll make the datasets public soon-ish.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
Hi,
I (still) cannot believe how Symantec reacts to the DigiNotar breaches -
basically ignoring the known shortcomings:
http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters
Marketing department speaking, no doubt.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network
help you if
DigiNotar is hacked afterwards and certificates for your domain issued.
I am no good at predicting customer behaviour, but why should customers
opt for the more expensive solution then?
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität
(it is passive monitoring data from a large regional ISP).
In our scanning data, we find that only about 18% of certificates have
both a valid chain plus the correct hostname (wildcarded or not) in
their CNs or SANs.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische
for the Top 1K or so, too, but it does remain a
relative popularity.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
.
I would also be very interested to hear from where that happened, and if
you can give us a traceroute...
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP
. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography@randombit.net
http
it directly from
Windows, maybe polling MS?
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
were valid (chain, host name) for the thus
protected login site.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
Hi,
Are there weaknesses in PKI? Undoubtedly! But, there are failures
in every ecosystem. The intelligent response to certificate
manufacturing and distribution weaknesses is to improve the quality
of the ecosystem - not throw the baby out with the bath-water.
And how do you propose to go
Hi,
In the EFF dataset of the full IPv4 space, I find 773,512 such certificates.
Could these be from the bizarro Korean DIY PKI (the NPKI) that they've
implemented? Could you post (or email) some of the certs?
I don't think so. Here is a list of COUNT(issuers), issuers from the
EFF
://conferences.sigcomm.org/imc/2011/program.htm
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
Good day,
We have just uploaded the following data sets we mention in our IMC paper.
Certificates found different between location China-1 and TUM, Apr 2011
Certificates found different between location China-2 and TUM, Apr 2011
Certificates found different between location Moscow and TUM, Apr
On Mon, Sep 19, 2011 at 11:18 PM, Ralph Holz h...@net.in.tum.de
mailto:h...@net.in.tum.de wrote:
Good day,
We have just uploaded the following data sets we mention in our IMC
paper.
Certificates found different between location China-1 and TUM, Apr 2011
Certificates
- Sitting ourselfs in different geographic locations when performing
data collection should be done using different methods (use of
proxy's, people from different countries submitting their certificates
views..???).
Sorry, I don't quite get that?
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network
Using Active and Passive Measurements
Ralph Holz, Lothar Braun, Nils Kammenhuber, Georg Carle
Technische Universität München
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description
). Would the MitM-ing
sub-CAs take the fall? (lose license and invested funds)
We're actually about to release a little tool that does exactly that,
report the encountered MitM for further scrutiny.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität
, and we've
just followed up on it. We've proposed a talk at berlinsides, let's see
if that works out. :-)
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP
. :-/
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography
stand. :-)
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
online revocation checking.
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
whether they are dropping CAs or not.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http
them? -- have not yet publicly stated that they
have never issued such certs. I think giving them a chance at amnesty is
a better strategy.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB
for past
mistakes, *and* take precautions they are not repeated. That's a net
gain in security for everyone, and that's why I was against kicking out
TrustWave.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
___
cryptography
of an unauthorized
one, where in this case authorized means the administrator of the client
node positively agreed to have that node's traffic MITMed.
Yes, fully agreed. But I still think pulling their root would have given
the wrong incentive to CAs.
Ralph
--
Ralph Holz
Network Architectures
want clients have to register with our server
and obtain an identity. That's a sore point.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
back. This is
still not too bad DoS-wise, but it allows to send forged traceroute results.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
,
especially the states with a death penalty, and the UK and/or DE?
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital
evidence here. It would be
conclusive if they compared keys created with the help of the same
source of randomness and primality testers.
Interestingly, in their own conclusions section they do not reiterate
the above statement.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische
Hi,
the following blog post, which documents similar efforts, sheds some
light, I think:
https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität
in
the face of the constitution and actually so badly written it violates
some of the really important and very distinct guidelines that the
courts have given us.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805
Hi,
In the past there have been a few proposals to use asymmetric cryptosystems,
typically RSA, like symmetric ones by keeping the public key secret, the idea
behind this being that if the public key isn't known then there isn't anything
for an attacker to factor or otherwise attack. Turns
: That information can be found in the Mozilla spreadsheet that
Kathleen Wilson maintains in Google Docs. A Google search of
moz.dev.sec.pol should yield it.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
Phone +49 89 28918043
http://www.net.in.tum.de/de
Hi,
On 01/05/2013 12:29 PM, Ben Laurie wrote:
Unless all the people who saw it happened to be running Chrome, then
it seems quite likely it was used maliciously, surely?
The problem is that there are many values that both legitimately and
maliciously can take. Turktrust's argument seems to be
Hi,
Is inclusion of a root CA in the major browsers a shall issue process
? hat is, you meet the criteria and you get in ? Or is it a subjective,
political process ?
The process varies between browser vendors, with baseline requirements
established in the CAB Forum. Audits are usually
. But why CT? It is a very useful monitoring tool, and has some
advantages over Sovereign Keys.
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
Phone +49 89 28918043
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83
? Grateful
for any pointers.
Thanks,
Ralph
--
Ralph Holz
Network Architectures and Services
Technische Universität München
Phone +49 89 28918043
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
Hi,
On 04/09/2013 04:05 AM, Tom Ritter wrote:
Somebody did ;) http://www.sshark.org/
Could I shamelessly self-advertise our notary service for SSH host keys?
ralph@firenze:~$ dig -t TXT 131.159.15.12.cbssh.net.in.tum.de
;; ANSWER SECTION:
131.159.15.12.cbssh.net.in.tum.de. 21600 IN TXT {ip:
The state of the art is represented by:
- ProVerif (represent protocols by Horn clauses and analyzes them
doing over-approximation)
http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
- Scyther (symbolic backwards search)
http://people.inf.ethz.ch/cremersc/scyther/index.html
-
fixing at the moment.
[1] https://addons.mozilla.org/de/firefox/addon/certificate-patrol/
[2]
http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf
[3] http://www.youtube.com/watch?v=29h21n-tyfEt=46m26s
Ralph
--
Ralph Holz
I8 - Network Architectures
that.
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
___
cryptography mailing list
the
Alexa range. Granted, many of those hosts may not be VHosts.
Does Google have better data on that?
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4
information from zone files
(which we have, but I don't have the time to do it).
[0] https://en.wikipedia.org/wiki/Server_Name_Indication
Yes, but our scans back then did not determine deployed server versions.
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität
information that is deeply in the public interest.
All the best,
Jacob
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
--
Ralph Holz
I8 - Network Architectures and Services
49 matches
Mail list logo