HTTPS may introduce overhead in terms of infrastructure costs, communication latency, data usage, and energy consumption. Moreover, given the opaqueness of the encrypted communication, any in-network value added services requiring visibility into application layer content, such as caches and virus scanners, become inef fective.
Tag Archives: encryption
The Horror of a ‘Secure Golden Key’
A “golden key” is just another, more pleasant, word for a backdoor—something that allows people access to your data without going through you directly. This backdoor would, by design, allow Apple and Google to view your password-protected files if they received a subpoena or some other government directive. You’d pick your own password for when you needed your data, but the companies would also get one, of their choosing. With it, they could open any of your docs: your photos, your messages, your diary, whatever.
TrueCrypt Website Says To Switch To BitLocker
I do not know precisely what this means, as I have no contact with the developers anymore: but this is what was agreed upon.
They should no longer be trusted, their binaries should not be executed, their site should be considered compromised, and their key should be treated as revoked. It may be that they have been approached by an aggressive intelligence agency or NSLed, but I don’t know for sure.
While the source of 7.2 does not appear to my eyes to be backdoored, other than obviously not supporting encryption anymore, I have not analysed the binary and distrust it. It shouldn’t be distributed or executed.
via TrueCrypt Website Says To Switch To BitLocker – Slashdot.
From: TrueCrypt Final Release Repository
TrueCrypt’s formal code audit will continue as planned. Then the code will be forked, the product’s license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won’t allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.
There will be continuity . . . as an interesting new chapter of Internet lore is born.
New Al Qaeda Encryption Software
Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight.
OpenSSL bug CVE-2014-0160
If you’re using an older OpenSSL version, you’re safe.
via OpenSSL bug CVE-2014-0160 | The Tor Blog.
I find that statement quite interesting due to how many security experts tout keeping your software constantly updated without realizing sometimes updates can introduce exploit vectors.
From: The Heartbleed Bug
What makes the Heartbleed Bug unique?
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
Am I affected by the bug?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.
From: Exploits allow attackers to obtain private keys used to decrypt sensitive data.
They called on white-hat hackers to set up “honeypots” of vulnerable TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild. The researchers have dubbed the vulnerability Heartbleed because the underlying bug resides in the OpenSSL implementation of the TLS heartbeat extension as described in RFC 6520 of the Internet Engineering Task Force.
The Mining Algorithm And CPU Mining – All About Bitcoin Mining: Road To Riches Or Fool’s Gold?
One of the most difficult problems in computer science is reversing a secure hash (finding an input text for a given output, the digital signature). Let me explain this problem in simple terms. Let’s assume the wealthy but terminally ill Alice wrote her will and stored it on her computer. Knowing that a computer can be hacked and the will can be altered, Alice digitally signed her will with the secure hash algorithm SHA-256. She then emailed the digital signature to all her friends, allowing them to check the validity of the document. Bob wants to hack into the computer and change Alice’s will so that he becomes the sole beneficiary, but he faces a problem: he needs to change the will in such a way that the widely distributed SHA-256 signature stays the same. Otherwise, everybody realizes that the will has been forged. This is the computationally difficult problem of reversing or brute-forcing SHA-256, or finding an input that matches a predefined output. Satoshi famously decided that in order to find a new block, people all over the world need to compete in reversing SHA-256, turning block creation into a global lottery.
via The Mining Algorithm And CPU Mining – All About Bitcoin Mining: Road To Riches Or Fool’s Gold?.
Once very popular among Bitcoin miners, but now somewhat dated, the Radeon HD 5830 card boasts 1120 stream processing units. But that doesn’t mean it literally has 1120 separate cores. Rather, the GPU employs 224 SIMD cores, each of which sports five ALUs operating in parallel (VLIW5).
SSL TLS HTTPS Web Server Certificate Fingerprints
Public and Private keys form cryptographically matched pairs. It is not feasible to derive one from the other, yet what one encrypts only the matching other can decrypt. Website SSL security certificates provide the site’s Public cryptographic key which is the public side of the server’s secret Private cryptographic key which is never publicly disclosed. Only the certificate’s public key can be used to encrypt data which the remote server can decrypt only using its matching private key. Since the SSL Proxy Appliance does not have the private key of the remote server—because only the remote server has it—the fake & fraudulent certificate the SSL Proxy provides to the user’s web browser is forced to use a different public key for which it does have a matching private key. And that means that no matter how hard any SSL-intercepting Proxy Appliance may try to spoof and fake any other server’s certificate, the certificate’s public key MUST BE DIFFERENT
via GRC | SSL TLS HTTPS Web Server Certificate Fingerprints
The remote server’s REAL certificate and the SSL Appliance’s FAKED certificate MUST HAVE AND WILL HAVE radically different fingerprints. They will not be remotely similar..
“Honey Encryption” Could Trick Criminals with Spoof Data
“Decoys and deception are really underexploited tools in fundamental computer security,” Juels says. Together with Thomas Ristenpart of the University of Wisconsin, he has developed a new encryption system with a devious streak. It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.
via “Honey Encryption” Could Trick Criminals with Spoof Data | MIT Technology Review.
Secret contract tied NSA and security industry pioneer
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
via Exclusive: Secret contract tied NSA and security industry pioneer | Reuters.
RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.
An interesting link came up in the Slashdot comment section. From: [Cfrg] Requesting removal of CFRG co-chair
I’d like to request the removal of Kevin Igoe from CFRG co-chair.
The Crypto Forum Research Group is chartered to provide crypto advice to IETF Working Groups. As CFRG co-chair for the last 2 years, Kevin has shaped CFRG discussion and provided CFRG opinion to WGs.
Kevin’s handling of the “Dragonfly” protocol raises doubts that he is performing these duties competently. Additionally, Kevin’s employment with the National Security Agency raises conflict-of-interest concerns.
LOL. No one trusts the NSA anymore.
Academics should not remain silent on hacking
NIST’s standard for random numbers used for cryptography, published in 2006, had been weakened by the NSA. Companies such as banks and financial institutions that rely on encryption to guarantee customer privacy depend on this standard. The nature of the subversions sounds abstruse: the random-number generator, the ‘Dual EC DRBG’ standard, had been hacked by the NSA so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.
via Academics should not remain silent on hacking : Nature News & Comment.