Statement = False
Moreover reinventing da wheel when there's need to pay for its use is mandatory
***
> In my opinion it's pretty much useless reinventing the wheel;
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok
Hi,
I totally agree with Tim. SSL is fragile but the mentioned protocol
basically creates the same problems which is why PKI was created to solve.
Regards,
Shreyas Zare
Sr. Information Security Researcher
Secfence Technologies
www.secfence.com
On Thu, Sep 9, 2010 at 1:00 AM, Tim wrote:
> > >
It's true that conventional certs have been completely devalued by the
bottom-feeders. This is a good argument for EV. Goatse may dismiss EV as a
joke, but there are very few EV CAs and none of them are TELECOM MINISTRY
OF BUTTFUCKISTAN. The spec requires that they authenticate the operation
of the
> However, why don't we have server certificates with multiple
> independent CA signatures?
Tim, I find that concept very interesting.
Cheers,
Chris.
On Wed, Sep 8, 2010 at 10:34 PM, Tim wrote:
>> > I'd rather have a company pay some good bucks to get their hands on a
>> > highly trusted certif
> > I'd rather have a company pay some good bucks to get their hands on a
> > highly trusted certificate than kids who's aim in life is wiping as
> > much hard disks as possible.
> > Which also answers why those $10-$20 assholes does a better job than
> > the kids we all know about...
>
> Same. I
On Wed, Sep 08, 2010 at 09:12:13PM +0200, Christian Sciberras wrote:
> I'd rather have a company pay some good bucks to get their hands on a
> highly trusted certificate than kids who's aim in life is wiping as
> much hard disks as possible.
> Which also answers why those $10-$20 assholes does a be
Dan,
Upon examining SRP, you are correct. SRP solves the same problem in a
superior manner. lulz
On Wed, Sep 8, 2010 at 2:52 PM, Dan Kaminsky wrote:
> Ah, a new password-authenticated DH. At first glance, this is similar to
> SRP (http://srp.stanford.edu/), but the server stores a plaintext pas
On Wed, Sep 8, 2010 at 12:12 PM, Christian Sciberras wrote:
> Call me paranoid, but I stick to the #1 rule of never ever trusting the
> public.
That is what is good about WoT. You can set the policy on who to
trust. You can trust only yourself, certain people, or $BIGCORP if
that is what you wan
Andrew,
The whole point of the current PKI is to ensure that with no prior
knowledge on the first connection the person you are communicating
with is who they say they are via a trusted third party who can
vouch for them.
If you can verify their identity once you can cache their
cryptographic
Ah, a new password-authenticated DH. At first glance, this is similar to
SRP (http://srp.stanford.edu/), but the server stores a plaintext password.
Initial thinking -- I'm not convinced that an offline brute force attack
won't work -- the nonce may break rainbow tabling, but it is transmitted v
> > This is no different then installing a client cert
>
> Yes, exactly. This is as equally secure as installing a client cert.
> Except it is achieved without a client cert, using only a password, in
> a manner that can be more easily scaled to lots of users.
Um... I think you have it backwards.
> Amen. This is why we should use and support web of trust style systems.
Webs of trust could definitely make SSL's PKI more fault tolerant.
The hard part is figuring out how to make it work while users don't
have to put forth any additional effort. Thoughts?
tim
___
We want a certain X people from a certain X chan dictating how some X
software is fully trusted and can run on my computer.
Call me paranoid, but I stick to the #1 rule of never ever trusting the public.
I'd rather have a company pay some good bucks to get their hands on a
highly trusted certific
So now it's a matter of scaling?
I'd rather stay on the grounds of certificates, where scaling has been
one of the primary focuses since the early 2k.
In my opinion it's pretty much useless reinventing the wheel; the idea
behind certificates is as much a security medium as is the party being
acti
On Wed, Sep 8, 2010 at 9:24 AM, Andrew Auernheimer wrote:
> un-tl;dr abstract: SSL is broken. Certificate authorities only exist
> to let the US, Chinese, Turkish, Brazilian etc etc government or
> Russian mob spy on you (whichever is interested first). Well, I guess
> they also exist to line the
> This is no different then installing a client cert
Yes, exactly. This is as equally secure as installing a client cert.
Except it is achieved without a client cert, using only a password, in
a manner that can be more easily scaled to lots of users.
>
>
> Trying to not sound like a dick,
> dvs.
On Wed, Sep 08, 2010 at 07:15:35PM +0200, Christian Sciberras wrote:
> You're expecting us to trust YOU over the Government X?
>
> How do we know you're not working for the French Government (seeing
> how you didn't list it in your conspiracy list)?
>
> I love jokes, but this is a bit too late fo
> While we may be similar to other proposed ideas, our implementation is
> unique and we are rapidly developing a PAM module at this moment. We
> are not limited to https.
I would expect there to be quite a bit less value in adding something
like this to SSH for the following reasons:
* Users o
Tim,
Absolutely, the risk of javascript being rewritten is highlighted
below-- which is why there needs to be something outside the reference
implementation below.
While we may be similar to other proposed ideas, our implementation is
unique and we are rapidly developing a PAM module at this mome
Chris,
The cryptographic primitives are long-standing and strong, and the
source is open! Feel free to pick apart our proposed protocol
specification!
On Wed, Sep 8, 2010 at 12:15 PM, Christian Sciberras wrote:
> You're expecting us to trust YOU over the Government X?
>
> How do we know you're n
You're expecting us to trust YOU over the Government X?
How do we know you're not working for the French Government (seeing
how you didn't list it in your conspiracy list)?
I love jokes, but this is a bit too late for April's Fool.
Cheers,
Chris.
On Wed, Sep 8, 2010 at 6:59 PM, Tim wrote:
>
Hello Andrew,
> un-tl;dr abstract: SSL is broken. Certificate authorities only exist
> to let the US, Chinese, Turkish, Brazilian etc etc government or
> Russian mob spy on you (whichever is interested first). Well, I guess
> they also exist to line the pockets of assholes who want $10-50 for
> p
A GOATSE SECURITY RELEASE
Application layer authentication-inherent validation of public key
integrity without the use of a trusted third party
Andrew Auernhemer and Jordan Borges.
More readable version w/ reference links available here:
http://security.goatse.fr/clench-our-way-of-saying-screw-you
23 matches
Mail list logo
