Mick wrote: > On Friday 18 Apr 2014 15:27:12 Dale wrote: >> >> >> On this topic about NSA, I read a article that claimed the NSA was able >> to view httpS traffic live or close to live since they had some backdoor >> access keys. I don't recall where the article was but since this is a >> knowledgeable bunch, is this true? If for example I go to my bank or >> credit card website, can they "easily" view that traffic? > > If your bank was using certain versions of openssl over the last two years, > then *any* attacker who knew of the heartbleed bug would have been able to > steal the private key of the server and decrypt all communications with it. > It is rumoured (but could be FUD) NSA are likely to have known of this > vulnerability for at least since November 2013.
I'm a little vague on some things but it seems the claim was that NSA had some sort of backdoor that was built in from the beginning of the project for encryption which sounded like it would include httpS and others. Again, the details are fuzzy. I would say that I need to bookmark this sort of thing but I already have so many bookmarks that it is very hard to dig through them as it is. Adding more may be counterproductive, yet again. > > >> One reason this jumped out at me was that in the article, it was claimed >> that a group of people was going to rewrite the code/software/whatever >> for httpS and other encryption tools. >> >> If someone has links to such info for me to read and pass on to others, >> that would be great too. > > HTTPS on its own does not mean much, if it is using insecure (less secure) > algorithms. RC4 and DES are no longer considered secure, but there are > websites and browsers that still use them in preference to more secure > cryptos. Some elliptic curves based algorithms peddled by NIST at the behest > of NSA are now considered suspicious, if not downright compromised by design. > > http://safecurves.cr.yp.to/ > Neat link. Lots of red stuff, which I assume is bad. ;-) Will dive into that more later on. Thanks. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
