On Apr 20, 2014, at 15:38, Mick <michaelkintz...@gmail.com> wrote: > On Sunday 20 Apr 2014 10:10:42 Dale wrote: > > Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public > sites offer it as an exclusive encryption protocol, because they would lock > out most of their visitors. This is because most browsers do not yet support > it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the > RC4 cipher (since November last year). I understand they are planning to > drop > SHA-1 next Christmas and have already dropped MD5 because of the Flame > malware. This should push many websites to sort out their encryption and SSL > certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has > been reverted to by many sites as an immediate if interim defence against the > infamous BEAST and Lucky Thirteen attacks.
This is a problem all Microsoft's customers are facing. I wonder why they don't demand more. I hope this publicity that snowden and heartbleed has brought to an average user will change their interests to demand better privacy. Anyways I just wonder who trusts software whose source code isn't open and and reviewed by a large community that don't have a financial interest on you. > According to the Netcraft SSL Survey (May 2013) only a third of all web > servers out there offer Perfect Forward Secrecy to ensure that even if the > encryption keys were to be compromised, previous communications cannot be > retrospectively decrypted. > > Elliptic Curve algorithms are not yet included in many browsers and in any > case the security of these in a post-Snowden world should be questionable > (well, at least the arbitrarily specified NIST-NSA sponsored curves, which > OpenSSL is heavily impregnated with). > > What I'm saying is that there may be no perfect banking website out there, > because Internet security is screwed up at the moment, but it is always worth > looking for a better bet. It is really hard to fight for privacy, because we have large companies and agencies that actively are lobbing politicians and standards for their own personal interests. In order for the security to get better an average user need to gain an interest to it. This seems unlikely because now a days everybody is uploading all their secrets to a cloud computing service etc. But I hope this publicity will change it even slowly. Another thing is that system administrators need to gain more knowledge on securing their services. For that I think this conversation is quite helpful. A lot of people read this list and it can be found by google. Openssl and gnupg are not very easy to use for someone who doesn't have any knowledge on cryptography. For example openssl will try to use md5 by default even in gentoo if you just try to create x509 cert. And many manual pages are way behind... Newest algorithms are almost never listed there. So you have to truly dig in or ask somebody to find safe and up-to date answers. -- -Matti
