Skip to Content.
Sympa Menu

assurance - Re: [Assurance] SHA-2 Update

Subject: Assurance

List archive

Re: [Assurance] SHA-2 Update


Chronological Thread 
  • From: "Joe St Sauver" <>
  • To:
  • Subject: Re: [Assurance] SHA-2 Update
  • Date: Thu, 5 Sep 2013 14:51:02 -0700 (PDT)

Hi,

Dave commented:

#Well, there isn't much you can do if the gov't gets their claws on either
#end of the channels pre/post encryption/decryption.

Right, and that's also obviously happening, too, but those articles make
it clear that there are ALSO issues with the formerly trustworthy
encrypted middle. That's an absolutely huge sea change.

#However, while it is concerning and

Describing the most recent revelations as "concerning" significantly
downplays an industry wide sea change.

If you don't have trustworthy crypto, an awful lot of other things just
fall completely apart.

#upping key-sizes and encryption levels can assist to a degree,

Not at all clear what crypto algorithms or implementations are trustworthy
at this point. You can have a great algorithm, but if you're running with a
flawed RNG, for example, you can still be toast.

The best bet might be to nest or layer encryption using different (hopefully)
strong algorithms, in the hope that one of N might still give you some
protection, but of course that's inconvenient, so it's unlikely that people
will do it.

#my problem here is more a standard that is
#requiring me to make a change to a core authentication service which is
#guaranteed to break users who are not running the latest greatest version
#of whatever their preferred browser is.

TLS 1.1 (aka SSL 3.2) dates to 2006.

TLS 1.2 (aka SSL 3.3) dates to 2008.

Now I'll grant you that OpenSSL didn't support 1.2 until OpenSSL 1.0.1,
but 1.0.1d (and then e) shipped in February 2013, so it's now time,
particularly given some of the recent revelations.

Regards,

Joe



Archive powered by MHonArc 2.6.16.

Top of Page