Scott writes: > Has anyone looked at our internal network infra closely?
Yes, but system security and security of the private keys are equally important. On general principles, after the TLS 1.2 / HTTPS everywhere default is in place, they private keys should be updated, with as secure and limited a set of people having access to the servers with that as possible. One could guess that going after TLS / HTTPS private key certs is another level to all of this, compromising servers and/or cert agencies to get them. On Fri, Sep 6, 2013 at 1:08 PM, C. Scott Ananian <[email protected]>wrote: > New revelations on NSA capabilities yesterday in the New York Times: see > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a > jumping off point. > > The bottom line seems to be: > 1) don't use RC4 (we're already working toward that goal, I believe) > 2) don't use the Dual_EC_DRBG PRNG (see > http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg) > > Can someone take a look at our SSL configuration and see if we have > Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!) > --scott > > ps. apparently Dual_EC_DRBG is built-in to Windows (!). A good reason not > to run your security-critical servers on Windows, I guess... > pps. if we're throwing stones, the Debian PRNG flaw is a big glass > window.... > ppps. > > http://blog.cryptographyengineering.com/2012/02/random-number-generation-illustrated.html > pppps. router/switch/firewall compromises have also been a big part of the > NSA story. Has anyone looked at our internal network infra closely? > > -- > (http://cscott.net) > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- -george william herbert [email protected] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
