Domain: financialcryptography.com
Stories and comments across the archive that link to financialcryptography.com.
Comments · 8
-
Re:Uh... okay
-
Re:Extreme instability of Bitcoin vs. USD
3 words: tripple entry accounting. If it's successful, bitcoin will be the biggest thing to hit accounting practises and economic stability since the 15th century.
-
SSL MITM
I remember getting flamed something terrible when SSL was first announced and I said at that time there was no way to stop a Man In the Middle Attack.
All sorts of irrelevant counter arguments were made at that time too.
Certificate and DNSSEC are also useless.
Why, because if your using your PC from 1 ISP or your employers fire walled Intranet, then from the time you install a browser on your PC there, nothing can be trusted.
Certificates and DNSSEC would also come from MITM servers.
There firewall could send you bogus certs and then give you valid connections as if they were the real web site. In turn there fire wall could unwrap your encrypted traffic, then repack it in to the real cert for connection to the SSL'ed web site.Unless you are going to manually install your keys that you brought from a second clean source there is nothing your going to be to be able to even tell that you've been compromised.
So SSL's largest problem is when your sitting at your office in your big corporate job, and it's got the SSL lock, your lulled in to a false sense of security!
I worked for a German Multinational. All net traffic from my US office went through Germany to get on to the net.
I'd find it impossible to believe that if they had wanted to, that they couldn't do a very complete MITM attack.My solution was to do SSH over SSL, where I'd bring my own SSH keys in on USB Stick.
then I could run X over that SSL to a Firefox running on my own Personal CoLo running Linux.I could also have done a VPN over SSH over SSL.
Nice thing about these are canned large corporate attacks wouldn't be geared to deal with it.Problem is everyone arguing about security it thinking hackers and not corporate spying of employees or government spying of foreigners or it's citizens.
I just remember that German Citizen while in the USA had to be given special internet and phone because under German law they weren't allowed to be monitored and because it was a German company they had to be given the same rights as if they were in Germany.
So I'd say it was safe to assume, I wasn't given that special privilege of not being monitored.
On the subject of recorded IP traffic logs, if it's an after some incident, they can put lots of time and money into cracking your encrypted traffic. Some of these Intellectual property law suites can go on for 10 years. You are a fool to think that they wouldn't crack your keys and see everything that you ever viewed over the web while at work.
It's for this reason why I love one time pads, it's a real loss that security people keep dismissing them.
for some interesting reading:
http://iang.org/ssl/
https://www.financialcryptography.com/ -
Re:The implications?
Then again, CA-signed certificates also suck. I've already written about it here, so I won't reformulate the problem in this post, but I'll quote the most relevant part:
---
The problem, then, is that this implies that you need to trust Verisign and Thawte to properly validate all the certificate requests that they get—people in an extremely large, bureaucratically weighed-down enterprise that process thousands of certificates daily using automated processes. What are the chances that they wouldn't let one single mistake slip through, and issue a certificate to a cracker for a site that he does not own? The problem does not end there, however: The certificates pre-installed on new PCs are not limited to Verisign and Thawte. They commonly ship with the certificates of around 50 different certificates organizations. Even if you feel secure in trusting Verisign and Thawte (which you should not, but more on that later), what are the chances that all of these can be trusted to consist entirely of incorruptible people and flawless processes? And, even if they did, what are the chances that all of them are completely secure and cannot themselves be cracked to produce faux certificates? For this reason alone, I, for one, would consider the entire process flawed and untrustworthy, and I would implore you to do the same. Therefore, Haven and Hearth uses its own, self-signed SSL certificate, bypassing the certificate authorities. To further clarify our stance, the following three points of policy are noteworthy:
- I do not want to convince you to distrust people. This is a problem of statistics; it would be almost weird if, somewhere in any of the many organizations whose certificates are installed in browsers worldwide, there did not exist anyone who was untrustworthy or just one computer system which is crackable, and the system is designed in such a way that just one is enough to break it.
- Sure enough, there have not been many major security breaches through this route (though it is not unheard of, either), so you might think that I am merely being alarmist, but I would still argue that the flaws in the system is enough reason to boycott it.
- Last, but not least: As I mentioned above, the certificate authorities more often than not charge quite obscene amounts for their services, which emanates an attitude that "The web is for corporations, not for individuals"; a statement that we resent.
But hold on, there is more to this. You may have read the preceding paragraph and still thought it all right to trust all these diverse organizations. However, you really should not: it is well documented that Verisign actively produces faux certificates for various purposes, especially for law enforcement agencies, so that they can perform MITM attacks. You can see Verisign's own home page if you doubt it. What Verisign's faux certificates mean in practice, is that their holder can impersonate any web site, to listen to the traffic between them and their visitors, modify their content arbitrarily and catch any and all sensitive information. And by that, I really mean any web site, not only those with certificates signed by Verisign in the first place. See, when the browser performs its certificate authenticity check, it checks the web site's certificate against any of its installed certificate authorities, and it does not even warn you if the web site's certificate has changed since the last time you visited it, as long as it is signed by just one of the certificate authorities it knows of. Of course, it is not only Verisign which is bestowed with this power – any of the certificate authorities can do th
-
Re:Worth it.
You can *NEVER* establish identity with a self-signed cert.
That's not actually true, though -- you merely need to exchange the certificate identity beforehand. For example, if you walk into your bank office and ask for Internet banking access, they can give you a physical piece of paper with the correct certificate key fingerprint, which you can then verify manually when you go to your Internet banking website. Which is how cryptographic trust should work.
Gaining trust is subjective, and when you trust an authority, you implicitly effectively incorporate and endorse their verification methods them as your own.
Which is why the current system is not a very good one. Of all the 40+ certificate authorities that ship with any browser, it would be ludicrous to think that at least one of them would not either be untrustworthy or at least vulnerable to attack from real crackers. See Verisign, for example, which issues fake certificates to government agencies.
Therefore, I would argue that self-signed certs (or simply a PGP/GPG-like trust model) is far better than the current SSL scheme, which really can't be trusted at all.
-
Geotrust hasn't revoked the phisher's cert yetCheck it out. Still listed. Doesn't even seem to be in the certification revocation database.
Let's quote what Geotrust says about relying on certificates:
GeoTrust's solution is that the browser should display
... "The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
-
Re:remember--only applies to commercial apps
Actually, it's even easier than that. All a terrorist has to do to communicate securely is buy a cheap pre-pay mobile phone. Computer security and encryption are basically meaningless next to real-world methods of avoiding detection.
Except that recently a terror network was busted because of the chips in their prepaid mobile phones. This link mirrors the NYT article. A key point:Mohammed was a victim of his own sloppiness, said a senior European intelligence official. He was meticulous about changing cellphones, but apparently he kept using the same SIM card.
It was sloppiness that tipped the authorities, but then they tracked him down by his supposedly anonymous mobile phone. And now the Swiss company that sells the cards is changing their policies, so it'll be even harder to communicate anonymously via mobile phone. -
linkageIf you were wondering what this is all about... Annalee Newitz (with two N's) is the author of a regular print-media column called "Techsploitation", of which this story was an example. More on that: http://www.techsploitation.com/writing/ http://www.alternet.org/alsoby.html?Author=2188 More about CodeCon: http://en.wikipedia.org/wiki/CodeCon http://www.codecon.org/2004/ http://www.oblomovka.com/search.php3?q=%3Cspan%20
c lass= http://www.financialcryptography.com/mt/archives/0 00050.html The Schmoo Hacker Group: "The Shmoo Group is a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development." http://www.shmoo.com/ Wi-Fi Remains a Work in Progress A latte, a Wi-Fi link and a hacker Wireless network worries? Get a dog! "Need To Know" (a zine in fixed-width font, the way god intended the net): http://www.ntk.net/ Ken Schalk, yo-yo hacker, is the author of Vesta: "Vesta is an advanced system for source code control, versioning, configuration management, and building. It is an alternative to CVS+make." http://freshmeat.net/projects/vesta/ http://sourceforge.net/project/shownotes.php?relea se_id=156198 Sparky's http://www.milkycat.com/toiletree.htm Jonathan Moore evidentally did a bunch of wifi networking down in Santa Cruz, and is the author of the MobileMesh software http://wiki.haven.sh/index.php/WikiWikiWan Jonathan Moore's CodeCon presentation was about: "Hacking Social Networks part II (Don't search private data)" http://more.theory.org/archives/000110.html#more Science Magazine is put out by the AAAS, and does great in-depth coverage of general science (and insanely detailed minutia about biology): http://www.sciencemag.org/ Placebos http://placebo.nih.gov/ Oh, and about "GenToo 2004": http://www.gentoo.org/news/20031203-news.xmlHeh... note the email address Annalee Newitz is using here... she evidentally creates a new mail alias for every column: sugarpill@techsploitation.com
Ah, slash ids pushing a billion and whining about what a sewer it's become...