[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21/08/13 23:40, Simon Waters wrote: > On 21 Aug 2013, at 23:05, Simon Avery wrote: > >> Encryption's useful, of course it is, but it's vulnerable. > Although we note that a certain resident of the Ecuadorian embassy in London put > his "insurance" file out to anyone using AES256, and no one is claiming any > success, although even if they did it might pay to keep quiet if you can bust > aes256. > > It is of course vulnerable, and crypto systems tend to slowly degrade as people > find the first statistical weakness, and the mathematicians tug at it for a few > years. > > The top of my list of crypto worries is RC4 because a lot of us went that way when > BEAST arrived, and probably a lot of us (myself included) ought to be revisiting > that. It is taking eternity for the free software world to get to TLS 1.2 or > better (well for the big distros and browsers to switch to 1.0.1d or later of > openssl, technically the software all already exists, it just needs to be > aggregated into a working system for normal folk to use). Microsoft are there > already. > > Bad Apple is probably going to tell us he has packages for everything in every > major distro built with current openssl.... there are ways and means but until it > is the default and in everything there will be swathes of bad practice (and even > when it is the default since we've all overridden the default Apache ssl.conf now > with our own doubtful preferred lists of ciphers to use it'll remain till we all > fix it up manually. > > > Oh, I completely agree with you - there is a world of hurt getting stored up here. I am actually supposed to be looking into this whole mess at the moment as part of one job, and it's a really intimidating and complex edifice we've built up here. There are a truly staggering amount of ways to do things wrong. ghost@failbot:~$ apt-cache policy openssl | head -n3 openssl: Installed: 1.0.1c-4ubuntu8.1 Candidate: 1.0.1c-4ubuntu8.1 Ha, I wish I did have this all sorted! This system is just running stock openssl. Get back to me in a couple of months, and maybe I'll be making some process. No matter what, I'll be starting on stock Debian first and OpenBSD. And quite frankly, 'correcting' best security practice in OpenBSD is potentially a catastrophic mistake waiting to happen... I don't think I'll be mentioning it in the forums somehow: "Oh hai Theo, your stupid OS has crap security so I haz rebuilded openssl but I ated it LOL". Crap. Now I really, really want to actually post that to the OpenBSD list :] Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq