On Wed, Oct 30, 2013 at 11:12:57AM -0400, Mark Haase wrote:
On Mon, Oct 28, 2013 at 10:01 PM, Luca Filipozzi lfili...@debian.orgwrote:
On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
I'd like to suggest that Debian should at least use SSL on their security
site, even if
Also, what is to prevent someone interfering with the creation of the
certificate that will be embedded in the device (or poor pseudo-random
while generating it, etc.), and what would be the cost of replacing the
certificate inside the device once/if compromised?
2013/11/12 Andreas Kuckartz
The whole card setup would be less that 50 Euros, that does not seem at all
like a significant amount of money.
You can get a card for 14€ and a USB reader for 18€
http://www.g10code.com/p-card.html
The cards have two modes with which they work with keys:
* generate the key on the card, export
On Tue, Nov 12, 2013 at 01:15:38PM -0500, Hans-Christoph Steiner wrote:
Having the key generated on the card is the most secure, since those cards are
designed so you can't read the secret key off of the card. So the cost of
putting a new certificate on the card is only someone's time for
On 11/12/2013 01:58 PM, Henrik Ahlgren wrote:
On Tue, Nov 12, 2013 at 01:15:38PM -0500, Hans-Christoph Steiner wrote:
Having the key generated on the card is the most secure, since those cards
are
designed so you can't read the secret key off of the card. So the cost of
putting a new
On Tue, Nov 12, 2013 at 10:58 AM, Henrik Ahlgren pa...@seestieto.com wrote:
But there is the significant downside that it is not possible to
backup the key, so if the card gets destroyed in a fire or just fails
and stops working, the key needs to be revoked, since only one
physical copy of the
I don't see how this is relevant? Obviously if hardware is seized then the
owners no longer have control. If you have suggestions as to how to secure
hardware that's great, but if you just want to point out that Nothing can
be done. That's not helpful.
On Tue, Oct 29, 2013 at 4:52 AM, Tormen
On Mon, Nov 11, 2013 at 2:48 PM, Mike Mestnik che...@mikemestnik.net wrote:
I don't see how this is relevant? Obviously if hardware is seized then the
owners no longer have control. If you have suggestions as to how to secure
hardware that's great, but if you just want to point out that
On 11/11/2013 07:41 PM, Jérémie Marguerie wrote:
On Mon, Nov 11, 2013 at 2:48 PM, Mike Mestnik che...@mikemestnik.net wrote:
I don't see how this is relevant? Obviously if hardware is seized then the
owners no longer have control. If you have suggestions as to how to secure
hardware that's
Hans-Christoph Steiner:
The crypto smartcard (aka Hardware Security Module) are some work to setup,
but not really all that much. And they are easy to use once setup. And they
provide a huge boost in the security of the certificate.
Such hardware also costs a significant amount of money. Are
Hans-Christoph Steiner:
On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be
On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be used which comes together
How about if we use a SSL certificate signed by debian's own root CA which
can be shipped with the distros? This will eliminate the paranoia about NSA
having control over the existing CA especially the one based in the States.
-Vipul
On Oct 29, 2013 4:18 AM, Volker Birk v...@pibit.ch wrote:
On
On Wed, Oct 30, 2013 at 09:15:44AM +, Vipul Agarwal wrote:
How about if we use a SSL certificate signed by debian's own root CA which
can be shipped with the distros?
If you want to be sure that TLS is not b0rken, you have to kick out each
CA, and to manually check each key again. What's
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
Vipul Agarwal:
How about if we use a SSL certificate signed by debian's own root CA which
can be shipped with the distros? This will eliminate the paranoia about
On Wed, 30 Oct 2013 09:59:39 +
adrelanos adrela...@riseup.net wrote:
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
Maybe I'm missing something, but the security of the apt system has
nothing to do with
Celejar:
Maybe I'm missing something, but the security of the apt system has
nothing to do with SSL - it uses GPG signatures. This discussion about
SSL concerns the website, etc.
That was indeed the original question, but it then drifted into the
direction into how great is would be to further
On 30-10-2013 09:51, Celejar wrote:
Maybe I'm missing something, but the security of the apt system has
nothing to do with SSL - it uses GPG signatures. This discussion about
SSL concerns the website, etc.
The point is server authentication. Without SSL anyone can simply hack
DNS or MITM and
On Wed, 30 Oct 2013 10:34:15 -0200
Djones Boni 07ea86b...@gmail.com wrote:
On 30-10-2013 09:51, Celejar wrote:
Maybe I'm missing something, but the security of the apt system has
nothing to do with SSL - it uses GPG signatures. This discussion about
SSL concerns the website, etc.
The
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
I was pointing out that this comment makes no
Djones Boni:
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
I was pointing out that this
Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both
Thanks, Luca. Will you notify this mailing list when the SSL certs have
been installed?
On Mon, Oct 28, 2013 at 10:01 PM, Luca Filipozzi lfili...@debian.orgwrote:
On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
I'd like to suggest that Debian should at least use SSL on their
Hello,
I would use Tor hidden service instead of SSL.
Greetings from Bulgaria,
Nikolay Kubarelov
On 10/29/2013 03:31 AM, Mark Haase wrote:
It's a bit ironic that the Debian security site doesn't offer SSL,
right? If an attacker can MITM an organization that uses Debian, then
they can MITM
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On 29/10/13 10:44, Jordon Bedwell wrote:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
And then again:
Jordon Bedwell:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
Why shouldn't that be serious?
Tor hidden services can not only be used to hide the location of a
server, but they
Tormen:
On 29/10/13 10:44, Jordon Bedwell wrote:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
And then again:
On 29-10-2013 07:29, Nikolay Kubarelov wrote:
I would use Tor hidden service instead of SSL.
Tor is too slow and you must install additional software.
A better idea is offer both SSL and a Tor Hidden Service. You choose
which use.
Do not forget Tor encryption is not considered secure anymore.
Its not tor itself that was compromised but the version of Firefox bundled with
the Tor browser bundle. They used a 0day to install a tracking cookie in FF.
Van: Djones Boni
Verzonden: dinsdag 29 oktober 2013 11:09
Aan: debian-security@lists.debian.org
On 29-10-2013 07:29,
On 29-10-2013 08:36, burgers@gmail.com wrote:
Its not tor itself that was compromised but the version of Firefox
bundled with the Tor browser bundle. They used a 0day to install a
tracking cookie in FF.
The FF bug exploited by Freedom Hosting script was not a 0day one.
There was a updated
Djones Boni:
A Debian THS is a good idea for the security it provides, not for
anonymity or down rate. It would be harder to someone MITM and hide
updates from you. That is why Debian should use SSL (and THS).
Downloading apt-get updates over Tor hidden services would be awesome!
- Even when
Djones Boni:
A better idea is offer both SSL and a Tor Hidden Service. You choose
which use.
Yes, having both is better. Only relying on Tor Hidden Services wouldn't
be a good idea. Offering as an option would be awesome!
Do not forget Tor encryption is not considered secure anymore.
There
On Tue, 29 Oct 2013 10:05:53 +
adrelanos adrela...@riseup.net wrote:
Jordon Bedwell:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com
wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
Why shouldn't that be serious?
On 29/10/13 12:53, adrelanos wrote:
Downloading apt-get updates over Tor hidden services would be awesome!
- Even when an adversary found a way to exploit apt-get's OpenPGP
verification, the exploit could not be used, because Tor hidden
services implement its own encryption/authentication.
-
On 29-10-2013 09:56, Celejar wrote:
The OP was asking for authentication, not encryption. Celejar
Tor HS addresses are self authenticating (80 bits of entropy).
It is possible (and very hard) to create an alias but it is much better
than clear text over http.
On 29-10-2013 09:53, adrelanos
On 2013.10.29. 13:32, Djones Boni wrote:
On 29-10-2013 09:56, Celejar wrote:
The OP was asking for authentication, not encryption. Celejar
Tor HS addresses are self authenticating (80 bits of entropy).
It is possible (and very hard) to create an alias but it is much better
than clear text over
On Tue, 29 Oct 2013 10:32:26 -0200
Djones Boni 07ea86b...@gmail.com wrote:
On 29-10-2013 09:56, Celejar wrote:
The OP was asking for authentication, not encryption. Celejar
Tor HS addresses are self authenticating (80 bits of entropy).
Okay, but the message I was replying to mentioned only
On 29-10-2013 10:49, Celejar wrote:
The question is not whether it's better than clear text over HTTP, but
whether it's better than SSL.
*If no CA is compromized*, I think SSL alone is more secure than Tor alone.
But it is possible to use SSL with Tor. Then there are two layers of
adrelanos wrote (29 Oct 2013 11:53:06 GMT) :
Downloading apt-get updates over Tor hidden services would be awesome!
I don't think there is anything preventing anyone from running
a Debian mirror over a Tor HS.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject
On Tue, 29 Oct 2013 11:03:55 -0200
Djones Boni 07ea86b...@gmail.com wrote:
On 29-10-2013 10:49, Celejar wrote:
The question is not whether it's better than clear text over HTTP, but
whether it's better than SSL.
*If no CA is compromized*, I think SSL alone is more secure than Tor alone.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
If I am not misunderstanding this. The object is to secure the site so
it won't be hacked. Why is there this need to use TOR?
If I am not wrong, This site is about resolving issues related to
security of debian, Not doing some underground espionage
I fail to see what would make what hard, could you please explain?
2013/10/30 Jonathan Spearman j...@jstc.info
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
If I am not misunderstanding this. The object is to secure the site so
it won't be hacked. Why is there this need to use TOR?
If I
On Wed, Oct 30, 2013 at 12:11 AM, Pedro Worcel pe...@worcel.com wrote:
I fail to see what would make what hard, could you please explain?
Hard, maybe not, needed: no. There is no reason to try and hide the
information, there never was and there never will be. If you were to
implement SSL and
It's a bit ironic that the Debian security site doesn't offer SSL, right?
If an attacker can MITM an organization that uses Debian, then they can
MITM the Debian security page and control what security bulletins that
organization can access.
I'm also concerned because this same domain hosts
On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
I'd like to suggest that Debian should at least use SSL on their security
site, even if nowhere else.
Hi,
We are in the process of purchasing SSL certificates for a number of our 'web
properties' including www.debian.org. I hope to
On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
It's a bit ironic that the Debian security site doesn't offer SSL, right?
If an attacker can MITM an organization that uses Debian, then they can
MITM the Debian security page and control what security bulletins that
organization can
47 matches
Mail list logo
