Re: [foaf-protocols] New attack plucks secrets from HTTPS-protected pages

On 4 August 2013 17:16, Peter Williams <home_pw@msn.com> wrote:

> nothing new.
>
> so use compression that is BUILT IN to the SSL process. IT is properly
> tuned. It properly uses the record layer so record-layer AND security
> handshake boundaries are “application aware”. It does make SSL more of an
> internet (i.e. layer 4 peer entity layer) concept, than a webby layer
> 7 “hypermedia concept”, though.
>
> But, note that compression and SSL *was* patented (and continuations may
> still be). It was proactively-patented for national security reasons; both
> good and bad. The good one was to stop folks doing it completely wrong
> (this was at a time when VeriSign required SSL vendors to undergo a basic
> software audit to be allowed to embed root keys, a governance technique
> designed to “stop folks being stupid about basic comsec that would
> undermine the value of the [VISA] brand attached to certs”). The bad one
> was the usual CI caveat reason - minimize the distribution of knowhow about
> military cryptananalysis methods. We are all still thinking 1980s, even in
> 1994, one should recall.
>
> A webid IDP is perfectly proper place to apply better knowhow, as is
> ws-trust STS IDP that leverages clients certs at layer 4 to authorize
> SAML/JWT token minting. These are proper places to apply strong crypto
> knowhow, speaking in terms of social politics.
>
> Sent from Windows Mail
>

Here's a great presentation about cracking RSA.  Perhaps we will need
bigger keys or to switch to ECC sooner than we thought ...

http://www.slideshare.net/astamos/bh-slides


>
> *From:* Melvin Carvalho
> *Sent:* Sunday, August 4, 2013 7:10 AM
> *To:* public-webid, foaf-protocols@lists.foaf-project.org
>
>
> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
>