http://arstechnica.com/security/2016/10 ... ypto-keys/
Ok, so all that is possible in theory. But it still requires quite massive computing power to be practical, and I notice that nowhere is there any mention of haxxor actually using such a trapdoor in the real world.
So, does this lead any current, real-world concerns to a user of Gecko 49?
If so -
1) Are these concerns of the 'AAAAAA!!!! HAXXOR CAN MITM MY HTTPS!!!!!!!!' variety? Or like 'Oh noes haxxor has my passwords from some months ago' type concerns?
2) Is it worth to disable in about:config over this, if so what to disable?
[RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
[RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Crypto "trapdoors" - FUD or tangible threat?
Even Thrawn and yes_noscript, who are both much knowledgeable on all this crypto stuff, have no idea?
Guess this isn't a concern then.
https://www.youtube.com/watch?v=-H10VqfkYOk
Guess this isn't a concern then.
https://www.youtube.com/watch?v=-H10VqfkYOk
*Always* check the changelogs BEFORE updating that important software!
-
Re: Crypto "trapdoors" - FUD or tangible threat?
[offtopic]Under the week (monday-thursday) i'm at work and can't write here[/offtopic]
the NSA *can* crack weak 1024bit Diffie-Hellman keys if the config is crap but thats not a real problem for us.
So just disable that cipher and use 2k or better 4k bit keys.
This is my cipher suite in Pale Moon (Pale Moon Commander addon):
the NSA *can* crack weak 1024bit Diffie-Hellman keys if the config is crap but thats not a real problem for us.
So just disable that cipher and use 2k or better 4k bit keys.
This is my cipher suite in Pale Moon (Pale Moon Commander addon):
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161008 PaleMoon/27.0.0b2
Re: Crypto "trapdoors" - FUD or tangible threat?
No problem, glad you find any time to write here.yes_noscript wrote:[offtopic]Under the week (monday-thursday) i'm at work and can't write here[/offtopic]
Thanks much for the information! Looks like the only one I need to switch off isyes_noscript wrote:So just disable that cipher and use 2k or better 4k bit keys.
This is my cipher suite in Pale Moon (Pale Moon Commander addon):
Code: Select all
security.ssl3.ecdhe_ecdsa_aes_128_sha
For those using otherwise default cypher configuration, check this thread as well: viewtopic.php?f=19&t=22108#p84179
off-topic: Pale Moon Commander version 1.7.3 seems to work well enough in SeaMonkey 2.46, but must be converted first.
*Always* check the changelogs BEFORE updating that important software!
-
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Sorry, hadn't been here in a few days.
Sounds like it's basically saying, "What the NSA tried to do with Dual_EC_DRBG, it might also have done with pretty much any 1024-bit DH schemes (and we wouldn't know about it)".
I'm not sure of the computational cost of exploiting it for 1024-bit keys, but even 2048-bit wasn't really considered safe, so I'm guessing that a backdoored 1024-bit key is pretty cheap to crack.
Sounds like it's basically saying, "What the NSA tried to do with Dual_EC_DRBG, it might also have done with pretty much any 1024-bit DH schemes (and we wouldn't know about it)".
I'm not sure of the computational cost of exploiting it for 1024-bit keys, but even 2048-bit wasn't really considered safe, so I'm guessing that a backdoored 1024-bit key is pretty cheap to crack.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
For only NSA-type organizations, or for haxxor too?Thrawn wrote: I'm guessing that a backdoored 1024-bit key is pretty cheap to crack.
*Always* check the changelogs BEFORE updating that important software!
-
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Well, the premise is that the backdoor is built into the standard. There are only a few prime numbers commonly used for these things, and if they were chosen by eg the NSA, then they may have deliberately chosen numbers that they know how to break.
So theoretically, only those who developed the standards, or those who have obtained the universal secret keys from them.
So theoretically, only those who developed the standards, or those who have obtained the universal secret keys from them.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Thanks.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Crypto "trapdoors" - FUD or tangible threat?
Nice!barbaz wrote:Pale Moon Commander version 1.7.3 seems to work well enough in SeaMonkey 2.46
[offtopic]I also wonder if such a converter can convert Jetpack SDK addons to non-Jetpack SDK addons[/offtopic]
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161008 PaleMoon/27.0.0b2
Re: Crypto "trapdoors" - FUD or tangible threat?
Not likely. I've done this manually for one addon, and it required almost a complete rewrite from scratch.yes_noscript wrote:[offtopic]I also wonder if such a converter can convert Jetpack SDK addons to non-Jetpack SDK addons[/offtopic]
*Always* check the changelogs BEFORE updating that important software!
-