1 |
On Monday 09 Sep 2013 03:05:57 Michael Orlitzky wrote: |
2 |
> On 09/08/2013 09:33 PM, Dale wrote: |
3 |
> > Someone found this and sent it to me. |
4 |
> > |
5 |
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelatio |
6 |
> > ns-020838711--sector.html |
7 |
> > |
8 |
> > |
9 |
> > I'm not to concerned about the political aspect of this but do have to |
10 |
> > wonder what this means when we use sites that are supposed to be secure |
11 |
> > and use HTTPS. From reading that, it seems that even URLs with HTTPS |
12 |
> > are not secure. Is it reasonable to expect that even connections |
13 |
> > between say me and my bank are not really secure? |
14 |
> |
15 |
> The CA infrastructure was never secure. It exists to transfer money away |
16 |
> from website owners and into the bank accounts of the CAs and browser |
17 |
> makers. Security may be one of their goals, but it's certainly not the |
18 |
> motivating one. |
19 |
> |
20 |
> To avoid a tirade here, I've already written about this: |
21 |
> |
22 |
> [1] |
23 |
> http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates |
24 |
> .php |
25 |
> |
26 |
> [2] |
27 |
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates. |
28 |
> php |
29 |
> |
30 |
> Warning: they're highly ranty, and mostly preach to the choir in that I |
31 |
> don't give a ton of background. |
32 |
> |
33 |
> The tl;dr is, use a 4096-bit self signed certificate combined with |
34 |
> pinning. It's not perfect, but it's as good as it gets unless you plan |
35 |
> to make a trip to each website's datacenter in person. |
36 |
|
37 |
Are you saying that 2048 RSA keys are no good anymore? |
38 |
|
39 |
-- |
40 |
Regards, |
41 |
Mick |