| 1 |
On Monday 09 Sep 2013 03:05:57 Michael Orlitzky wrote: |
| 2 |
> On 09/08/2013 09:33 PM, Dale wrote: |
| 3 |
> > Someone found this and sent it to me. |
| 4 |
> > |
| 5 |
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelatio |
| 6 |
> > ns-020838711--sector.html |
| 7 |
> > |
| 8 |
> > |
| 9 |
> > I'm not to concerned about the political aspect of this but do have to |
| 10 |
> > wonder what this means when we use sites that are supposed to be secure |
| 11 |
> > and use HTTPS. From reading that, it seems that even URLs with HTTPS |
| 12 |
> > are not secure. Is it reasonable to expect that even connections |
| 13 |
> > between say me and my bank are not really secure? |
| 14 |
> |
| 15 |
> The CA infrastructure was never secure. It exists to transfer money away |
| 16 |
> from website owners and into the bank accounts of the CAs and browser |
| 17 |
> makers. Security may be one of their goals, but it's certainly not the |
| 18 |
> motivating one. |
| 19 |
> |
| 20 |
> To avoid a tirade here, I've already written about this: |
| 21 |
> |
| 22 |
> [1] |
| 23 |
> http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates |
| 24 |
> .php |
| 25 |
> |
| 26 |
> [2] |
| 27 |
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates. |
| 28 |
> php |
| 29 |
> |
| 30 |
> Warning: they're highly ranty, and mostly preach to the choir in that I |
| 31 |
> don't give a ton of background. |
| 32 |
> |
| 33 |
> The tl;dr is, use a 4096-bit self signed certificate combined with |
| 34 |
> pinning. It's not perfect, but it's as good as it gets unless you plan |
| 35 |
> to make a trip to each website's datacenter in person. |
| 36 |
|
| 37 |
Are you saying that 2048 RSA keys are no good anymore? |
| 38 |
|
| 39 |
-- |
| 40 |
Regards, |
| 41 |
Mick |
Archives