[ale] Will we have any encryption left?
DJ-Pfulio
djpfulio at jdpfu.com
Wed Jan 6 11:23:19 EST 2016
On 01/06/2016 10:55 AM, Alex Carver wrote:
> http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec/
>
> (The referenced paper is embargoed behind a password at the moment)
>
> I believe after Heartbleed and Poodle I have purged MD5 but now I'm not
> sure. Have to wait for the paper to open up again and find out.
I had assumed HTTPS was broken for the last 8 yrs. Anything that can be
modified by a government as part of the core solution cannot be trusted. HTTPS
depends on 2 things - trusted encryption and trusted DNS. DNS hasn't been
trustworthy ... er ... ever, so until DNSSEC is deployed world-wide, HTTPS
cannot be trusted.
OTOH, it is good-enough to buy stuff online, mostly. ;)
If you need perfect security, don't put it on a computer that has any networking
- wired, wifi, Bluetooth possible and use dm-crypt with a
non-government-approved, strong, encryption cipher.
IMHO.
More information about the Ale
mailing list