On Mon, Jan 13, 2020 at 3:55 AM Werner Koch wrote:
>
> I added some notices but I am not sure what to suggest as replacement.
>
Vielen Dank. My guess is that the HOWTOs won't be updated anytime soon, so
this might be the best you can do for the time being.
-David
__
On Fri, 10 Jan 2020 10:48, David Eisner said:
> 1. I think there should be a notice near the top of
> https://gnupg.org/documentation/howtos.html that says something like this:
> "The mini HOWTO is out-of date and documents an older version of GnuPG. For
> more up-to-date documentation, please see
On Mon, 30 Jan 2017 20:13, gl...@rempe.us said:
> I would suggest you also look at doing HSTS browser preload now that
> you have long duration HSTS and a good modern TLS suite. It would
I considered this ...
> require being applied to sub-domains as well I think which you may or
but can't do t
Am 30.01.2017 um 18:22 schrieb Werner Koch:
> On Mon, 30 Jan 2017 11:56, w...@gnupg.org said:
>
>> I am working on that. But please given me a few days. I want to align
>
> Time warp: All servers updated. Sslabs rating is now A+ (respective A
> for those without HSTS). The used pound versio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 30.01.17 18:22, Werner Koch wrote:
> Hope that helps the Sierras
It does :-) Thanks!
Ludwig
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE4WAgb7FA4aaVxJnYOtv6bQCh5v4FAliPiF8ACgkQOtv6bQCh
5v5S4Q//T8JcBKcdfTQ/9mJwPrF5aIBNJgHlL57qHadvAAUGsd8scw6
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Awesome! Works perfectly now. Tested on macOS (Sierra) Safari and
current iOS Safari.
Congrats on your A+ at SSLlabs
https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org&s=217.69.76.60
I would suggest you also look at doing HSTS browser preloa
On Mon, 30 Jan 2017 11:56, w...@gnupg.org said:
> I am working on that. But please given me a few days. I want to align
Time warp: All servers updated. Sslabs rating is now A+ (respective A
for those without HSTS). The used pound version is can be found at
git.gnupg.org.
Hope that helps the
On 30/01/17 17:22, Werner Koch wrote:
> Time warp: All servers updated.
I can confirm it works on the latest iOS.
Andrew.
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/m
> It just occured to me that it seems you're conflating bits and bytes.
> Doesn't a 64-bit-block cipher operate on 2**3 rather than 2**6 bytes?
*coughs* Yes. My bad.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/list
On Mon, 30 Jan 2017 07:54, gl...@rempe.us said:
> Is there a plan to take action on this TLS issue the Julien and I have
> written about? I believe all Safari and iOS users are excluded from
I am working on that. But please given me a few days. I want to align
the patched version of pound, whic
Hi,
On Mon, Jan 30, 2017 at 7:54 AM, Glenn Rempe wrote:
> I believe all Safari and iOS users are excluded from
> gnupg.org without action on the TLS setup.
>
I can confirm that Safari won't open https://gnupg.org/ on macOS 10.12.3.
Very frustrating indeed!
Best,
Richard
__
On 26/01/17 19:48, Robert J. Hansen wrote:
> The 256GiB limitation (2**32 blocks of 2**6 bytes = 2**38 bytes; 2**30 is a
> gibibyte, 2**8 is 256, hence, 256 GiB)
It just occured to me that it seems you're conflating bits and bytes.
Doesn't a 64-bit-block cipher operate on 2**3 rather than 2**6 byt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Werner,
Is there a plan to take action on this TLS issue the Julien and I have
written about? I believe all Safari and iOS users are excluded from
gnupg.org without action on the TLS setup.
Cheers
On 1/26/17 11:15 AM, Julien Vehent wrote:
> Hello,
Hello,
I'm the maintainer of the Server Side TLS guidelines at Mozilla. I'm
happy to help with the HTTPS setup of gnupg.org in any way I can.
Here's the configuration currently measures by the TLS Observatory,
along with some recommendations to reach Modern level.
--- Ciphers Evaluation
> For example OpenSSH does a rekeying not later than 4 GiByte even for 128
> bit block length ciphers.
The 256GiB limitation (2**32 blocks of 2**6 bytes = 2**38 bytes; 2**30 is a
gibibyte, 2**8 is 256, hence, 256 GiB) is so well-known that it appears
multiple times in the GnuPG FAQ, even. All the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Werner, you (or anyone setting up a web server themselves really)
might also find this config generator from Mozilla helpful as a
shortcut in creating what is considered a modern web server config for
TLS.
https://mozilla.github.io/server-side-tls/s
On Wed, 25 Jan 2017 23:33, r...@sixdemonbag.org said:
> That's the sort of thing that causes a lot of crypto nerds to twitch and
> mutter "rekey, rekey".
For example OpenSSH does a rekeying not later than 4 GiByte even for 128
bit block length ciphers.
The block length problem is known since we
On 25/01/2017 17:16 -0800, Glenn Rempe wrote:
> I would also like to note that gnupg.org does not appear to work on
> the latest versions of Apple iOS or macOS Safari due to TLS cert
> issues. It fails to load in Safari on either platform (but Chrome and
> Firefox do work on macOS, Safari is the
On 26/01/17 00:16, Andrew Gallagher wrote:
>
> gnupg.org *does* keep 3DES at the end of the supported suites, so surely
> it should not be affected. I'm tempted to write this off as a
> mistake by ssllabs.
I've spoken to ssllabs and it appears that this was an ambiguity in the
wording of their bl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I would also like to note that gnupg.org does not appear to work on
the latest versions of Apple iOS or macOS Safari due to TLS cert
issues. It fails to load in Safari on either platform (but Chrome and
Firefox do work on macOS, Safari is the only b
On 2017/01/25 21:07, sivmu wrote:
> Anyways ssllabs shows a warning that the website will be degraded
> from A to C in a month. Not sure that matters all that much, but if
> there is an oppertunity to change the available ciphers at some
> point...
I've looked into this and I'm not sure why ssl
On 1/25/2017 4:36 PM, sivmu wrote:
> Basically if you can collect a few hundred GB of data, it is trivial to
> calculate the key. There is a prove of concept for https connections,
> although I believe this is especially relevant for VPN connections
> (openvpn uses a 64 bit ciphers (blowfish) by de
> There are prove of concepts against TLS and openvpn https://sweet32.info/
Sure, but those proofs-of-concept require *hundreds of GB of traffic*.
That's the sort of thing that causes a lot of crypto nerds to twitch and
mutter "rekey, rekey".
___
Gnu
Am 25.01.2017 um 23:00 schrieb Robert J. Hansen:
>> The main problem would be its 64-bit block size. Apparently there's a
>> "practical" attack against 64-bit ciphers as used in TLS [1].
>
> Quoting from the abstract: "In our proof-of-concept demos, the attacker
> needs to capture about 785GB
> The main problem would be its 64-bit block size. Apparently there's a
> "practical" attack against 64-bit ciphers as used in TLS [1].
Quoting from the abstract: "In our proof-of-concept demos, the attacker needs
to capture about 785GB of data." I question the wisdom of any system which
sends
Am 25.01.2017 um 22:25 schrieb Damien Goutte-Gattat:
> On 01/25/2017 02:41 PM, Robert J. Hansen wrote:
>> For that matter, I'm still in the dark as to what the big problem with
>> three-key 3DES is. The best attack against it requires more RAM than
>> exists in the entire world and only reduces
On 01/25/2017 02:41 PM, Robert J. Hansen wrote:
For that matter, I'm still in the dark as to what the big problem with
three-key 3DES is. The best attack against it requires more RAM than
exists in the entire world and only reduces it to 112 bits.
The main problem would be its 64-bit block siz
Am 25.01.2017 um 12:14 schrieb Peter Lebbing:
> On 25/01/17 09:52, Werner Koch wrote:
>> OCSP is used as an alternative to CRLs and not directly related to
>> privacy.
>
> The OP might have meant "OCSP Stapling" which includes the OCSP data in
> the data sent by the webserver during TLS session
> This whole banning of SHA-1 and 3DES for public https servers and in
> particular ssllabs' new grades is mostly security theater.
For that matter, I'm still in the dark as to what the big problem with
three-key 3DES is. The best attack against it requires more RAM than
exists in the entire worl
On 25/01/17 09:52, Werner Koch wrote:
> OCSP is used as an alternative to CRLs and not directly related to
> privacy.
The OP might have meant "OCSP Stapling" which includes the OCSP data in
the data sent by the webserver during TLS session setup. That way, the
OCSP data doesn't need to be fetched
> On 25 Jan 2017, at 08:52, Werner Koch wrote:
>
> On Wed, 25 Jan 2017 01:05, si...@web.de said:
>
>> not sure this is the perfect place, but I wanted to point out that the
>> gnupg.org website still uses sha1 as a mac.
>
> Despite that SHA-1 is not yet broken they now even claims that HMAC-SH
On Wed, 25 Jan 2017 01:05, si...@web.de said:
> not sure this is the perfect place, but I wanted to point out that the
> gnupg.org website still uses sha1 as a mac.
Despite that SHA-1 is not yet broken they now even claims that HMAC-SHA1
is broken? I do not even known a theoretical attack on HMA
32 matches
Mail list logo
