 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 08/14/2013 10:03 AM, Richard Pieri wrote: > Certificate + handshake = session key => decrypted session in real > time. Any user, any session, any time, any reason. No cryptanalysis > needed. No brute force needed. Yes, if the communications uses a broken (lack of) key exchange. Stupidly, SSL only recently got improved to support perfect-forward-security, Safari and Internet Explorer don't really support it, and the PRISM companies, coincidentally, don't support it. The good news is that a third of Firefox, Crome, and Opera SSL traffic uses good key exchange and not susceptible to passive snooping or after-the-fact decryption. I didn't realize that SSL was so stupid. Rather important technology was left out of SSL, even though it was already two years old at that point. Grrr. An interesting article on this: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html The fact that the traffic with the PRISM companies allows this easy decryption underlines that efficiencies matter for the NSA. Every monkey wrench helps... -kb
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
