Peter 128 128 128 128 128 128 128 128 128 128.
[Snip]
Ignore the numbers, concentrate on the security.
iang 128 ^ 128 (my 128 is better than your 128)
Actually you should have used 128+1, because real cryptographers' keys go to
129.
LOL... For those who do not understand the
reference,
Heikki Toivonen [EMAIL PROTECTED] writes:
Ian G wrote:
Peter Gutmann wrote:
1. Disable SSLv2 in your browser (i.e. take it to the state that it
should
have been shipped in in the first place).
Right. Perhaps we should file a bug?
Something like?:
Ka-Ping Yee wrote:
I believe the problem is that right now a lot of people are
expecting or led to expect CAs to do job (b), but they don't do
that.
Some do, some don't. Work is in progress to differentiate between the
two in the browser UI.
Gerv
___
Ian G wrote:
They have no incentive to do so, and even if they
did, they'd be ignored. People widely ignore the
fact that when Verisign says trusted it means
one thing, and when Comodo says trusted it means
another thing. Until this is fixed, there is no
point in (b) so we see what we see - a
Ian G wrote:
Peter Gutmann wrote:
1. Disable SSLv2 in your browser (i.e. take it to the state that it
should
have been shipped in in the first place).
Right. Perhaps we should file a bug?
Something like?:
https://bugzilla.mozilla.org/show_bug.cgi?id=106604
Ian G wrote:
Nelson explained this a while ago ... until the
browsers go to SSL3 / TLS 1.0 they cannot handle
virtual hosts.
Ian, If you're going to attribute explanations to me,
please be sure you get them right.
Today the browsers support all 3: SSL2 SSL3 TLS1
The new TLS extensions are
Julien Pierre wrote:
You still have the ability to use alternate ports for your 2 extra SSL
servers, using your single IP. If you must use the same port, all may
not be lost. You might be able get a single cert with all 3 hostnames in
it, for example. If you want to use different certs or
Jaqui Greenlees wrote:
Peter Gutmann wrote:
You can see where the magic-numbers problem has lead with the magic
number
128. Provided that you mention this magic number somewhere in your
marketing literature, your product will be regarded as secure no
matter how
bad it is in practice.
~snip~
Ian G wrote:
And ... my point is that the difficulty of numbers that
you refer to is equally applicable to any other metric
we might come up with. Literally, your commerce v.
non-commerce differentiation is equally fraught.
The two are not equivalent. If the distinction is made by, say, an icon
Ian G wrote:
Nelson B wrote:
Ian G wrote:
(OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping
people elsewhere using crypto.
What are you talking about?
This one:
[here I have snipped an old message of mine that says that SSL2
servers are hindering the rollout of new optional TLS
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means the best available.
Michelen stars would be a perfect example.
The users would see the michelin man, and
the
On Mon, 18 Apr 2005, Ian G wrote:
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means the best available.
Michelen stars would be a perfect example. [...]
Nelson B wrote:
[here I have snipped an old message of mine that says that SSL2
servers are hindering the rollout of new optional TLS extensions. ]
Ian, how is that stopping people from using encryption?
Correct me if I am wrong, but it means that the
virtual hosts capability in newer versions
Ka-Ping Yee wrote:
On Mon, 18 Apr 2005, Ian G wrote:
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means the best available.
Michelen stars would be a perfect
Ian,
Ian G wrote:
Nelson B wrote:
[here I have snipped an old message of mine that says that SSL2
servers are hindering the rollout of new optional TLS extensions. ]
Ian, how is that stopping people from using encryption?
Correct me if I am wrong, but it means that the
virtual hosts capability
Julien Pierre wrote:
Ian,
Ian G wrote:
Nelson B wrote:
[here I have snipped an old message of mine that says that SSL2
servers are hindering the rollout of new optional TLS extensions. ]
Ian, how is that stopping people from using encryption?
Correct me if I am wrong, but it means that the
14, 2005 11:11 PM
To: mozilla-security@mozilla.org
Subject: Re: Low security SSL sites
Deacon, Alex [EMAIL PROTECTED] writes:
It should be noted that VeriSign sold the registrar division
of Network
Solutions (including the brand) back in 2003. It is no
longer has any
affiliation
Peter Gutmann wrote:
You can see where the magic-numbers problem has lead with the magic number
128. Provided that you mention this magic number somewhere in your
marketing literature, your product will be regarded as secure no matter how
bad it is in practice.
And of course 256 will be the new
Ian G wrote:
(OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping
people elsewhere using crypto.
What are you talking about?
Stopping people using
crypto should be a hanging offence. Come the revolution,
they will be the first against the wall...)
iang
--
Nelson B
Ian G wrote:
I'd say 40 bit is good enough for banking, and 128 bit
is good enough for banks :-) As the TLS people have now
added a 256 bit protocol suite, they no doubt think that
only 256 should be used by banks...
I think you may have missed my point, which was: a number is still a
number,
Gervase Markham wrote:
Ian G wrote:
I'd say 40 bit is good enough for banking, and 128 bit
is good enough for banks :-) As the TLS people have now
added a 256 bit protocol suite, they no doubt think that
only 256 should be used by banks...
I think you may have missed my point, which was: a
Nelson B wrote:
Ian G wrote:
(OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping
people elsewhere using crypto.
What are you talking about?
This one:
Nelson B wrote:
Julien Pierre wrote:
There is a TLS extension called server name indication. It is
currently not implemented by NSS .
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE, if
they need to visit the site a lot. Personally, I didn't used to think
to contact a website if there was a problem. I just ignored it or went
to another website or spoofed my user agent or something.
Putting
Ian G wrote:
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE,
if they need to visit the site a lot. Personally, I didn't used to
think to contact a website if there was a problem. I just ignored it
or went to another website or spoofed my user agent or
Gutmann
Sent: Wednesday, April 13, 2005 12:06 AM
To: mozilla-security@mozilla.org
Subject: Re: Low security SSL sites
Duane [EMAIL PROTECTED] writes:
Peter Gutmann wrote:
You may as well name 'em since it's fairly well known,
it's Verisign (yes, the
Actually another one, so that makes 2
Duane wrote:
This certificate is 50% good (128/256) or 15% good (40/256) then you
just alter the top number, or even subtract for bad protocols, I'm sure
people would get the idea pretty quick and it would be consistent, even
when things change in future...
That's better, but it doesn't address
Duane wrote:
Ian G wrote:
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE,
if they need to visit the site a lot. Personally, I didn't used to
think to contact a website if there was a problem. I just ignored it
or went to another website or spoofed my user agent
On 04/11/05 23:27, Peter Gutmann wrote:
Frank Hecker [EMAIL PROTECTED] writes:
Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
[Snip]
In Opera, the message must be OKed/cancelled *before the site is even
rendered*
My personal preference would be a
Duane wrote:
Peter Gutmann wrote:
You may as well name 'em since it's fairly well known, it's Verisign (yes, the
Actually another one, so that makes 2 of them (at least)...
Duane,
Either you are working for some company and you have
a conflict of interest that stops you doing security
work. Or
Frank Hecker [EMAIL PROTECTED] writes:
Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
[Snip]
In Opera, the message must be OKed/cancelled *before the site is even
rendered*
My personal preference would be a dialog with a delayed OK button
(like
Duane [EMAIL PROTECTED] writes:
Ram A M wrote:
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in the default config.
I have had problems with one domain registrar using it...
You may as well name 'em since it's fairly
Peter Gutmann wrote:
You may as well name 'em since it's fairly well known, it's Verisign (yes, the
Actually another one, so that makes 2 of them (at least)...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
Gervase Markham wrote:
So in two years, time, when the advice changes to 256/2048, they have to
learn a new set of numbers?
I should issue a better cert for the CAcert website, but it's more
common then not that I'm getting 256/1024, and the root cert is 4096,
which some software still doesn't
Duane wrote:
Ram A M wrote:
I have SSL2 disabled and AFAIK it has not limited my access to
sites in
a long time. Perhaps it is time to retire SSL2 in the default
config.
I have had problems with one domain registrar using it...
Yep me too, it seems netsol still requires SSL2. I wonder how
If one wanted to achieve a useful distinction, then I suggest warning
when an SSL v2
protocol site is struck, as at least then a real issue is being
addressed.
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in the default
Ram A M wrote:
If one wanted to achieve a useful distinction, then I suggest warning
when an SSL v2
protocol site is struck, as at least then a real issue is being
addressed.
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in
Ram A M wrote:
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in the default config.
I have had problems with one domain registrar using it...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
Frank Hecker wrote:
This raises the question that we've previously debated on this group: If
popping up a warning dialog the right thing to do, or does that just
encourage users to blindly click OK? Is a better alternative to just
display the page without the SSL lock icon, with an accompanying
Ian G wrote:
Why not just put the number of crypto bits on the status
bar, next to the site name, CA name and padlock?
I'm surprised at you, Ian. I would have thought the reason was obvious :-)
In Opera, the message must be OKed/cancelled *before the site is even
rendered*
Heavens above! I
Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
When visiting 'secure' sites that use outdated encryption,
Firefox/Thunderbird should give a big ugly warning about the dangers
of submitting information to this site.
[...]
My personal preference would
Jean-Marc Desperrier wrote:
I'm surprised nobody has said until now that there's already such a
warning dialog for 40 bit crypto (at least in the suite, maybe FF
removed it).
I don't believe 512 RSA keys trigger it, though.
512 bit keys are a lot stronger than 40 bit, they are
more like about
Gervase Markham wrote:
Ian G wrote:
Why not just put the number of crypto bits on the status
bar, next to the site name, CA name and padlock?
I'm surprised at you, Ian. I would have thought the reason was obvious :-)
It could be blindingly obvious to others ... but it's
not to me!
In Opera,
Gervase Markham wrote:
Ian G wrote:
It could be blindingly obvious to others ... but it's
not to me!
Because 99.99% of users will have no idea what the numbers are, nor will
they have any ability to make sensible decisions based on them.
Well, they are generally in a much better position
to make
Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
When visiting 'secure' sites that use outdated encryption,
Firefox/Thunderbird should give a big ugly warning about the dangers
of submitting information to this site.
For reference: the latest Opera 8
44 matches
Mail list logo
