Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] KeePassX



On 08/14/2013 10:03 AM, Richard Pieri wrote:
> Certificate + handshake = session key => decrypted session in real 
> time. Any user, any session, any time, any reason. No cryptanalysis 
> needed. No brute force needed.

Yes, if the communications uses a broken (lack of) key exchange. 
Stupidly, SSL only recently got improved to support 
perfect-forward-security, Safari and Internet Explorer don't really 
support it, and the PRISM companies, coincidentally, don't support it.

The good news is that a third of Firefox, Crome, and Opera SSL traffic 
uses good key exchange and not susceptible to passive snooping or 
after-the-fact decryption.

I didn't realize that SSL was so stupid.  Rather important technology 
was left out of SSL, even though it was already two years old at that 
point.  Grrr.

An interesting article on this: 
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html 


The fact that the traffic with the PRISM companies allows this easy 
decryption underlines that efficiencies matter for the NSA.  Every 
monkey wrench helps...


-kb



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org