1 |
On Monday 09 Sep 2013 02:33:48 Dale wrote: |
2 |
> Someone found this and sent it to me. |
3 |
> |
4 |
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations |
5 |
> -020838711--sector.html |
6 |
> |
7 |
> |
8 |
> I'm not to concerned about the political aspect of this but do have to |
9 |
> wonder what this means when we use sites that are supposed to be secure |
10 |
> and use HTTPS. From reading that, it seems that even URLs with HTTPS |
11 |
> are not secure. Is it reasonable to expect that even connections |
12 |
> between say me and my bank are not really secure? |
13 |
> |
14 |
> Also, it seems there are people that want to work on fixing this and |
15 |
> leave out any Government workers. Given my understanding of this, that |
16 |
> could be a very wise move. From that article, I gather that the tools |
17 |
> used were compromised before it was even finished. Is there enough |
18 |
> support, enough geeks and nerds basically, to do this sort of work |
19 |
> independently? I suspect there are enough Linux geeks out there to |
20 |
> handle this and then figure out how to make it work on other OSs. I use |
21 |
> the words geek and nerd in a complimentary way. I consider myself a bit |
22 |
> of a geek as well. :-D |
23 |
> |
24 |
> One of many reasons I use Linux is security. I always felt pretty |
25 |
> secure but if that article is accurate, then the OS really doesn't |
26 |
> matter much when just reaching out and grabbing data between two puters |
27 |
> over the internet. I may be secure at my keyboard but once it hits the |
28 |
> modem and leaves, it can be grabbed and read if they want to even when |
29 |
> using HTTPS. Right? |
30 |
> |
31 |
> This is not Gentoo specific but as most know, Gentoo is all I use |
32 |
> anyway. I don't know of any other place to ask that I subscribe too. I |
33 |
> figure I would get a "no comment" out of the Government types. ROFL |
34 |
> Plus, there are some folks on here that know a LOT about this sort of |
35 |
> stuff too. |
36 |
> |
37 |
> Again, I don't want a lot of political stuff on this but more of the |
38 |
> technical side of, is that article accurate, can it be fixed and can we |
39 |
> be secure regardless of OS. It seems to me that when you break HTTPS, |
40 |
> you got it beat already. |
41 |
> |
42 |
> Am I right on this, wrong or somewhere in the middle? |
43 |
> |
44 |
> Dale |
45 |
> |
46 |
> :-) :-) |
47 |
|
48 |
As far as I know the NSA has cracked elliptic curve algorithms and earlier SSL |
49 |
versions. Not that you would suspect this from their peddling of it here :-p |
50 |
|
51 |
http://www.nsa.gov/business/programs/elliptic_curve.shtml |
52 |
|
53 |
|
54 |
Latest TLS v1.2 *should* be OK, but with the advent of quantum computing who |
55 |
can tell if science fiction decryption capabilities have become reality for |
56 |
state actors. Looking at this, you can see that loads of websites out there |
57 |
are not using strong enough encryption, so even if it worked quantum computing |
58 |
may be an overkill for many https implementations today: |
59 |
|
60 |
https://www.trustworthyinternet.org/ssl-pulse/ |
61 |
|
62 |
-- |
63 |
Regards, |
64 |
Mick |