I've deliberately stayed out of the political discussion, but interested in this more technical discussion…
On 10 Oct 2013, at 14:50, Giles Coochey <gi...@coochey.net> wrote: > 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust > the math' don't always mean much to us, given the reports in the media, what > is considered a safe cypher? I recently switched from AES-256 to > Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, > and I reduced my SA lifetimes from 28800 to 1800. Could that be considered > overkill? I believe there were discussions about 18 months ago to the effect that a weakness (cryptanalysis rather than brute force) had been discovered in SHA1, so going up to SHA512 can't be a bad thing. You might want to look at RIPEMD160 (and derivatives) as well - very different development model from SHA derivatives, which you may or may not find more comforting. What made you change from AES to Blowfish, and is there any evidence to suggest that Blowfish is more 'secure' than AES? It's worth mentioning here that AES acceleration is well supported in hardware (even low-power platforms like the ALIX embedded boards have AES acceleration), whereas Blowfish will likely be done entirely in software. > 3. pfSense - In general do you consider pfsense secure?? pfSense is, essentially, a very well put together collection of other packages. The question isn't so much whether pfSense itself is 'secure', but whether those other packages which make up the security portions of pfSense (pf, OpenVPN, even FreeBSD itself) are themselves secure. Those are probably questions better aimed at the developers of those packages. Kind regards, Chris -- This email is made from 100% recycled electrons _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list