| 1 |
On Monday 09 Sep 2013 02:33:48 Dale wrote: |
| 2 |
> Someone found this and sent it to me. |
| 3 |
> |
| 4 |
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations |
| 5 |
> -020838711--sector.html |
| 6 |
> |
| 7 |
> |
| 8 |
> I'm not to concerned about the political aspect of this but do have to |
| 9 |
> wonder what this means when we use sites that are supposed to be secure |
| 10 |
> and use HTTPS. From reading that, it seems that even URLs with HTTPS |
| 11 |
> are not secure. Is it reasonable to expect that even connections |
| 12 |
> between say me and my bank are not really secure? |
| 13 |
> |
| 14 |
> Also, it seems there are people that want to work on fixing this and |
| 15 |
> leave out any Government workers. Given my understanding of this, that |
| 16 |
> could be a very wise move. From that article, I gather that the tools |
| 17 |
> used were compromised before it was even finished. Is there enough |
| 18 |
> support, enough geeks and nerds basically, to do this sort of work |
| 19 |
> independently? I suspect there are enough Linux geeks out there to |
| 20 |
> handle this and then figure out how to make it work on other OSs. I use |
| 21 |
> the words geek and nerd in a complimentary way. I consider myself a bit |
| 22 |
> of a geek as well. :-D |
| 23 |
> |
| 24 |
> One of many reasons I use Linux is security. I always felt pretty |
| 25 |
> secure but if that article is accurate, then the OS really doesn't |
| 26 |
> matter much when just reaching out and grabbing data between two puters |
| 27 |
> over the internet. I may be secure at my keyboard but once it hits the |
| 28 |
> modem and leaves, it can be grabbed and read if they want to even when |
| 29 |
> using HTTPS. Right? |
| 30 |
> |
| 31 |
> This is not Gentoo specific but as most know, Gentoo is all I use |
| 32 |
> anyway. I don't know of any other place to ask that I subscribe too. I |
| 33 |
> figure I would get a "no comment" out of the Government types. ROFL |
| 34 |
> Plus, there are some folks on here that know a LOT about this sort of |
| 35 |
> stuff too. |
| 36 |
> |
| 37 |
> Again, I don't want a lot of political stuff on this but more of the |
| 38 |
> technical side of, is that article accurate, can it be fixed and can we |
| 39 |
> be secure regardless of OS. It seems to me that when you break HTTPS, |
| 40 |
> you got it beat already. |
| 41 |
> |
| 42 |
> Am I right on this, wrong or somewhere in the middle? |
| 43 |
> |
| 44 |
> Dale |
| 45 |
> |
| 46 |
> :-) :-) |
| 47 |
|
| 48 |
As far as I know the NSA has cracked elliptic curve algorithms and earlier SSL |
| 49 |
versions. Not that you would suspect this from their peddling of it here :-p |
| 50 |
|
| 51 |
http://www.nsa.gov/business/programs/elliptic_curve.shtml |
| 52 |
|
| 53 |
|
| 54 |
Latest TLS v1.2 *should* be OK, but with the advent of quantum computing who |
| 55 |
can tell if science fiction decryption capabilities have become reality for |
| 56 |
state actors. Looking at this, you can see that loads of websites out there |
| 57 |
are not using strong enough encryption, so even if it worked quantum computing |
| 58 |
may be an overkill for many https implementations today: |
| 59 |
|
| 60 |
https://www.trustworthyinternet.org/ssl-pulse/ |
| 61 |
|
| 62 |
-- |
| 63 |
Regards, |
| 64 |
Mick |
Archives