Re: Key servers
Jonathan McDowell wrote/napisał[a]/schrieb: -- Start of PGP signed section. > On Sun, Apr 14, 2002 at 07:12:09PM +0200, Michal Tarana wrote: > > > I made my gpg signature with gpg tool in Woody and everything was O.K. > > until I wanted to send it to some keyserver. I tried few servers from > > www.keyserver.net, but everytime I got only this answer: > > > > gpg: error sending to 'www.keyserver.net' eof. > > > > Can somebody recomend me some other keyservers or help with this > > problem? > > As the admin of wwwkeys.uk.pgp.net I can highly recommend it. ;) which software it runs? does it support subkeys? Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Key servers
Jonathan McDowell wrote/napisał[a]/schrieb: -- Start of PGP signed section. > On Sun, Apr 14, 2002 at 07:12:09PM +0200, Michal Tarana wrote: > > > I made my gpg signature with gpg tool in Woody and everything was O.K. > > until I wanted to send it to some keyserver. I tried few servers from > > www.keyserver.net, but everytime I got only this answer: > > > > gpg: error sending to 'www.keyserver.net' eof. > > > > Can somebody recomend me some other keyservers or help with this > > problem? > > As the admin of wwwkeys.uk.pgp.net I can highly recommend it. ;) which software it runs? does it support subkeys? Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
Ralf Dreibrodt wrote/napisał[a]/schrieb: > Hi, > > i just saw an error on a debian box with apache(-common) 1.3.9-13.2: > > drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var > drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log > drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache > -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 > /var/log/apache/access.log > > tail -n 1 /var/log/apache/access.log > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148 > > to whom belongs this problem? > > the programmer, who used GET for a login or the sysadmin who shows every > ordinary user the GET-request? The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | |
Re: default Apache configuration
Ralf Dreibrodt wrote/napisał[a]/schrieb: > Hi, > > i just saw an error on a debian box with apache(-common) 1.3.9-13.2: > > drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var > drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log > drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache > -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 > /var/log/apache/access.log > > tail -n 1 /var/log/apache/access.log > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148 > > to whom belongs this problem? > > the programmer, who used GET for a login or the sysadmin who shows every > ordinary user the GET-request? The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
Petro wrote/napisał[a]/schrieb: > On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: > > 3DES is generally considered strong enough. However, it is slow, and > > can effect performance. Try doing large 'scp's and switch between > > DES/3DES was designed to be implemented in hardware, doing a > software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. Alex
Re: is 3des secure??
Petro wrote/napisał[a]/schrieb: > On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: > > 3DES is generally considered strong enough. However, it is slow, and > > can effect performance. Try doing large 'scp's and switch between > > DES/3DES was designed to be implemented in hardware, doing a > software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Tim Haynes wrote/napisał[a]/schrieb: > Wade Richards <[EMAIL PROTECTED]> writes: > > > >A five minute explanation of the principle of a > > >man-in-the-middle attack, followed by a swift bat upside the head with a > > >copy of "Applied Cryptography" seemed to do the trick, and he sheepishly > > >removed it. > > > > I think that many people put their fingerprint in their e-mail signature > > to exploit the Internet's archiving capability. If I e-mail you my public > > key, you should not pay attention to the fingerprint in the signature of > > that e-mail. However, you can go to dejanews.com, or the debian mailing > > list archives, or your own "saved mail" folder, and notice that every > > single message from me has the same GPG fingerprint, even the messages > > that are months or years old. From that, you can develop a degree of > > trust. > > Yes. A zero-trust sense of trust. > > The whole point of having a fingerprint is to be able to compare it out of > band - eg you send me your public key, I phone you back and you have to dig > out the fingerprint which I compare from the public key, which is totally > defeated if someone else can dig it out of deja/google! WHAT!? Anyone who gets hold of a public key can check what fingerprint it has. There are public keyservers. There are public keys on the w3. Key fingerprint never was meant to be a secret. > If you want to develop a sense of trust, then the most trust you can have > is that `this poster' is the same as `that poster', because their messages > both validate against the same key ID (*not* fingerprint). > > Unless I'm well mistaken, of course... But I'd never trust a key whose > fingerprint had turned up in public before. I believe you are mistaken. Publishing fingerprint is a (weak) way to defeat MITM attacks. If someone constattly uses a key with a known fingerprint sudden change of fingerprint may may suggest MITM. Note: your method of comparing a fingerprint is weak. Fingerprint comaprition is a two way protocol. If Bob is to sign Alice's key he should read first group of fingerprint, then Alice should read the second, then Bob the third, etc. This ensures at least that Bob and Alice are talking about the same public key. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | |
Re: GPG fingerprints
Tim Haynes wrote/napisał[a]/schrieb: > Wade Richards <[EMAIL PROTECTED]> writes: > > > >A five minute explanation of the principle of a > > >man-in-the-middle attack, followed by a swift bat upside the head with a > > >copy of "Applied Cryptography" seemed to do the trick, and he sheepishly > > >removed it. > > > > I think that many people put their fingerprint in their e-mail signature > > to exploit the Internet's archiving capability. If I e-mail you my public > > key, you should not pay attention to the fingerprint in the signature of > > that e-mail. However, you can go to dejanews.com, or the debian mailing > > list archives, or your own "saved mail" folder, and notice that every > > single message from me has the same GPG fingerprint, even the messages > > that are months or years old. From that, you can develop a degree of > > trust. > > Yes. A zero-trust sense of trust. > > The whole point of having a fingerprint is to be able to compare it out of > band - eg you send me your public key, I phone you back and you have to dig > out the fingerprint which I compare from the public key, which is totally > defeated if someone else can dig it out of deja/google! WHAT!? Anyone who gets hold of a public key can check what fingerprint it has. There are public keyservers. There are public keys on the w3. Key fingerprint never was meant to be a secret. > If you want to develop a sense of trust, then the most trust you can have > is that `this poster' is the same as `that poster', because their messages > both validate against the same key ID (*not* fingerprint). > > Unless I'm well mistaken, of course... But I'd never trust a key whose > fingerprint had turned up in public before. I believe you are mistaken. Publishing fingerprint is a (weak) way to defeat MITM attacks. If someone constattly uses a key with a known fingerprint sudden change of fingerprint may may suggest MITM. Note: your method of comparing a fingerprint is weak. Fingerprint comaprition is a two way protocol. If Bob is to sign Alice's key he should read first group of fingerprint, then Alice should read the second, then Bob the third, etc. This ensures at least that Bob and Alice are talking about the same public key. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
