Page 1 of 1
[RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Posted: Sun Oct 16, 2016 1:49 am
by barbaz
http://arstechnica.com/security/2016/10 ... ypto-keys/
Ok, so all that is possible in theory. But it still requires quite massive computing power to be practical, and I notice that nowhere is there any mention of haxxor actually using such a trapdoor in the real world.
So, does this lead any current, real-world concerns to a user of Gecko 49?
If so -
1) Are these concerns of the '
AAAAAA!!!! HAXXOR CAN MITM MY HTTPS!!!!!!!!' variety? Or like '
Oh noes haxxor has my passwords from some months ago' type concerns?
2) Is it worth to disable in about:config over this, if so what to disable?
Re: Crypto "trapdoors" - FUD or tangible threat?
Posted: Wed Oct 19, 2016 2:51 am
by barbaz
Even Thrawn and yes_noscript, who are both much knowledgeable on all this crypto stuff, have no idea?
Guess this isn't a concern then.
https://www.youtube.com/watch?v=-H10VqfkYOk
Re: Crypto "trapdoors" - FUD or tangible threat?
Posted: Thu Oct 20, 2016 4:12 pm
by yes_noscript
[offtopic]Under the week (monday-thursday) i'm at work and can't write here[/offtopic]
the NSA *can* crack weak 1024bit Diffie-Hellman keys if the config is crap but thats not a real problem for us.
So just disable that cipher and use 2k or better 4k bit keys.
This is my cipher suite in Pale Moon (Pale Moon Commander addon):
Re: Crypto "trapdoors" - FUD or tangible threat?
Posted: Thu Oct 20, 2016 5:12 pm
by barbaz
yes_noscript wrote:[offtopic]Under the week (monday-thursday) i'm at work and can't write here[/offtopic]
No problem, glad you find any time to write here.
yes_noscript wrote:So just disable that cipher and use 2k or better 4k bit keys.
This is my cipher suite in Pale Moon (Pale Moon Commander addon):
Thanks much for the information! Looks like the only one I need to switch off is
Code: Select all
security.ssl3.ecdhe_ecdsa_aes_128_sha
For those using otherwise default cypher configuration, check this thread as well:
viewtopic.php?f=19&t=22108#p84179
off-topic: Pale Moon Commander version 1.7.3
seems to work well enough in SeaMonkey 2.46, but must be
converted first.
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Posted: Thu Oct 20, 2016 11:21 pm
by Thrawn
Sorry, hadn't been here in a few days.
Sounds like it's basically saying, "What the NSA tried to do with Dual_EC_DRBG, it might also have done with pretty much any 1024-bit DH schemes (and we wouldn't know about it)".
I'm not sure of the computational cost of exploiting it for 1024-bit keys, but even 2048-bit wasn't really considered safe, so I'm guessing that a backdoored 1024-bit key is pretty cheap to crack.
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Posted: Thu Oct 20, 2016 11:58 pm
by barbaz
Thrawn wrote: I'm guessing that a backdoored 1024-bit key is pretty cheap to crack.
For only NSA-type organizations, or for haxxor too?
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Posted: Fri Oct 21, 2016 4:13 am
by Thrawn
Well, the premise is that the backdoor is built into the standard. There are only a few prime numbers commonly used for these things, and if they were chosen by eg the NSA, then they may have deliberately chosen numbers that they know how to break.
So theoretically, only those who developed the standards, or those who have obtained the universal secret keys from them.
Re: [RESOLVED] Crypto "trapdoors" - FUD or tangible threat?
Posted: Fri Oct 21, 2016 4:53 am
by barbaz
Thanks.
Re: Crypto "trapdoors" - FUD or tangible threat?
Posted: Fri Oct 21, 2016 4:57 pm
by yes_noscript
barbaz wrote:Pale Moon Commander version 1.7.3 seems to work well enough in SeaMonkey 2.46
Nice!
[offtopic]I also wonder if such a converter can convert Jetpack SDK addons to non-Jetpack SDK addons[/offtopic]
Re: Crypto "trapdoors" - FUD or tangible threat?
Posted: Fri Oct 21, 2016 5:05 pm
by barbaz
yes_noscript wrote:[offtopic]I also wonder if such a converter can convert Jetpack SDK addons to non-Jetpack SDK addons[/offtopic]
Not likely. I've done this manually for one addon, and it required almost a complete rewrite from scratch.