Re: [Cryptography] People should turn on PFS in TLS
>>>>> "PEM" == Perry E Metzger writes: PEM> Anyone at a browser vendor resisting the move to 1.2 should be PEM> viewed with deep suspicion. Is anyone? NSS has 1.2 now; it is, AIUI, in progress for ff and sm. Chromium supports it (as of version 29, it seems). Opera supports 1.2 (at least as of version 12, maybe earlier?). Arora 0.11.0 doesn't seem to provide a way to check Links and elinks only did tls 1.1. I don't see a way to get lynx or w3m (text browsers), midori, luakit or xombrero (webkit-gtk) or qupzilla (webkit-qt) to report the tls version details. So I cannot confirm what webkit can do. A bug report from 2011 for polarssl mentions that ie9 can do 1.2. I don't think there is anything else I can test. With it in openssl, gnutls, nss, polarssl, et alia support seems pretty complete. It will take some time for the current ff alpha to filter down to a "release", but otherwise things look good on the 1.2 front. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: Lava lamp random number generator made useful?
>>>>> "IanG" == IanG <[EMAIL PROTECTED]> writes: IanG> Nope, sorry, didn't follow it. What is BOM, SoC, A plug, gerber? Bill Of Materials -- cost of the raw hardware System on (a) Chip -- microchip with CPU, RAM, FLASH, etc USB A Plug -- physical flat-four interface; think USB key drive gerber -- file format for hardware designs A system-on-a-chip which has rng and usb-client hardware on board (aka on chip) should fit in a package which looks just like a USB key drive. The software load could make it look like any USB device, including a USB storage device where every read produces blocks of entropy, as you suggested. A search for "site:linuxdevices.com SoC RNG USB" shows some useful SoCs, such as: http://www.linuxdevices.com/news/NS9265554097.html http://www.linuxdevices.com/news/NS6958318931.html http://www.linuxdevices.com/news/NS6020408561.html http://www.linuxdevices.com/news/NS4943322251.html http://www.linuxdevices.com/news/NS4469294424.html There seems to be significant interest in the industry for SoCs for Point of Sale smartcard readers which would also work for your proposed design. You did suggest an open hardware design As for using a camera, shots with a lens cover on and with the gain turned up (ie, tell people to set the camera to its highest ISO setting) should maximize the recorded entropy w/o using their candids, eh? -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
>>>>> "IanG" == IanG <[EMAIL PROTECTED]> writes: IanG> I've often thought that if we had an open source hardware design IanG> of a USB random number generator It should be doable as just a RNG device for a BOM of a few tens of USD. There are at least of couple of SoCs on the market which advertise USB client hw and at least some onboard crypto. Put one of those in a key- sized container with just enough glue for an A plug and the hw is done. The software should be easy enough. Linux's gadget driver can claim to be pretty much anything -- serial, storage, ethernet. I presume the various BSD's can do so as well. So the software end should be easy. Are there any HW engineers here who can flesh out the above into a gerber file or similar? -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how bad is IPETEE?
>>>>> "Eugen" == Eugen Leitl <[EMAIL PROTECTED]> writes: Eugen> I'm not sure what the status of http://postel.org/anonsec/ The IETF just created a new list and subscribed all anonsec subscribers: https://www.ietf.org/mailman/listinfo/btns -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: TLS-SRP & TLS-PSK support in browsers (Re: Dutch Transport Card Broken)
>>>>> "Werner" == Werner Koch <[EMAIL PROTECTED]> writes: Werner> The last time I checked the Mozilla code they used their own crypto Werner> stuff. When did they switched to OpenSSL and how do they solve the Werner> GPL/OpenSSL license incompatibility? Indeed they do. It is called nss, is available as a package of its own on several dists, is written in C, is MPL|GPL|LGPL and has its own page at: http://www.mozilla.org/projects/security/pki/nss/ The Gentoo ebuild even installs a pkgconfig file. I don't recall seeing anything !zilla using it, though. -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VoIP and phishing
> "mis" == mis <[EMAIL PROTECTED]> writes: mis> does anyone know if [real-]time ANI from mis> toll free services is still unspoofable? No, in general it is not unspoofable. But you probably need the gateway into the PSTN to use SS7 and IMT trunks; and that probably means a CLEC license in the US, or similar elsewhere. That presumably means more substantial civil and criminal penalties for spoofing with criminal intent, not to mention the potential loss of the operating license for doing so. So although it is certainly doable, it'll be expensive and likely beyond the means of small-time players. In short, if you have direct SS7 access, there isn't much you cannot do to screw over other providers and their customers. Hense all of the rules and regs for getting such access. -JimC -- James H. Cloos, Jr. <[EMAIL PROTECTED]> - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
