Full Disclosure mailing list archives
Re: end of useable crypto in browsers?
From: Sebastian <sebb () sebb767 de>
Date: Thu, 14 Apr 2016 16:30:55 +0200
Am 2016-04-14 16:19, schrieb Reindl Harald:
Am 14.04.2016 um 00:54 schrieb Sebastian:[...]That's true. But the keygen element is flawed by the known-broken CAsystem(*) and you can't build a secure house on a broken foundation. You could check whether the certificate for your site is issued by your CA, but if the can issue certificates they could simply attack your browsers updater. Our only hope for truly secure communication are tools like pgp combined with anonymity through for example TOR or freenet (not the ISP)how do you come to the conclusion that you need any 3rd party CA for a client certificate which you accept on your server?
I don't. But even if you roll your own CA, you'll have a hard time avoiding someone with a wildcard CA (updater, every other page you open, ...). Also, to use <keygen> you need to have a secure connection beforehand (or use http, which would make every MITM happy). Now it is possible to work around this, too, but then you may as well use fully encrypted channel.
The actual point of the paragraph is that this won't kill our protection from the big companies. Those are probably even the ones using it the most.
Greetings, Sebastian --A great many of today's security technologies are "secure" only because no-one has ever bothered attacking them.
-- Peter Gutmann _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- end of useable crypto in browsers? Árpád Magosányi (Apr 09)
- Re: end of useable crypto in browsers? Seth Arnold (Apr 14)
- Re: end of useable crypto in browsers? Sebastian (Apr 14)
- Re: end of useable crypto in browsers? Árpád Magosányi (Apr 14)
- Re: end of useable crypto in browsers? Sebastian (Apr 14)
- Re: end of useable crypto in browsers? Reindl Harald (Apr 15)
- Re: end of useable crypto in browsers? Sebastian (Apr 15)
- Re: end of useable crypto in browsers? Árpád Magosányi (Apr 14)