Eric Mill | 12 Apr 19:40 2014

If not StartSSL, the next best CA for individuals?

(Setting aside how awful the CA system is generally...)

For those who still have a need to participate in it, and for those
angry at StartCom's refusal to waive[1][2] revocation fees for their
free class 1 certs, what's the best CA for the job?

Even if not free, I'm looking to recommend[3] something priced
attractively for individuals and non-commercial uses. The friendlier
the interface, and the more reliable and principled the customer
service, the better.

-- Eric



-- |  <at> konklone
Jeffrey Walton | 11 Apr 23:50 2014

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national
security interests threatens to renew the rancorous debate over the
role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s
history, a flaw in the basic security of as many as two-thirds of the
world’s websites. Its discovery and the creation of a fix by
researchers five days ago prompted consumers to change their
passwords, the Canadian government to suspend electronic tax filing
and computer companies including Cisco Systems Inc. to Juniper
Networks Inc. to provide patches for their systems.
cryptography mailing list
cryptography <at>
Jeffrey Walton | 11 Apr 07:35 2014

Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

Yesterday afternoon, Ars Technica published a story reporting two
possible logs of Heartbleed attacks occurring in the wild, months
before Monday's public disclosure of the vulnerability. It would be
very bad news if these stories were true, indicating that blackhats
and/or intelligence agencies may have had a long period when they knew
about the attack and could use it at their leisure.

In response to the story, EFF called for further evidence of
Heartbleed attacks in the wild prior to Monday. The first thing we
learned was that the SeaCat report was a possible false positive; the
pattern in their logs looks like it could be caused by ErrataSec's
masscan software, and indeed one of the source IPs was ErrataSec.

The second log seems much more troubling. We have spoken to Ars
Technica's second source, Terrence Koeman, who reports finding some
inbound packets, immediately following the setup and termination of a
normal handshake, containing another Client Hello message followed by
the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs
from November 2013. These bytes are a TLS Heartbeat with contradictory
length fields, and are the same as those in the widely circulated
proof-of-concept exploit.
Scott G. Kelly | 10 Apr 19:09 2014

question about heartbleed on Linux

Does heartbleed allow one to read (discarded, freed) physical memory containing data from the OS and/or
other processes in linux?

A friend and I were discussing this. If the memory management is "lazy" (doesn't clear on page
allocation/free), and if processes don't clear their own memory, I wondered if heartbleed would expose
anything. My friend thinks "modern" operating systems clear memory to prevent inter-process data
leakage. Of course, I agree that this is security goodness, but I wonder if, in the name of performance,
this is "optional".

I'm poking around in linux memory management code in between other tasks, but I'll bet somebody here knows
the answer. Anyone?
travis+ml | 10 Apr 02:17 2014

crypto mdoel based on cardiorespiratory coupling

This is nonsense, right?  Unbounded in the sense of relying on secrecy of the unbounded number of algorithms?

Remediating... like a BOSS.

cryptography mailing list
Pranesh Prakash | 8 Apr 04:13 2014


Dear all,
In the March IETF 89 meeting in London, there were renewed discussions 
around end-to-end encryption in XMPP.

Here is the recording of the session:

There was basic agreement that OTR is a horrible fit for XMPP since it 
doesn't provide full stanza encryption.  The very reasons for the 
benefits of OTR (its ability to be protocol-agnostic) are the reasons 
for its shortfalls too.

However, there is no clear alternative.  The closest is 
draft-miller-xmpp-e2e.  The one clear verdict was that more contributors 
are required.

The discussions are happening at:

If anyone has the time to make contributions, please do jump in (and 
spread the word).

~ Pranesh

Pranesh Prakash
Policy Director, Centre for Internet and Society
T: +91 80 40926283 | W:
(Continue reading)

Edwin Chu | 7 Apr 23:53 2014

The Heartbleed Bug is a serious vulnerability in OpenSSL


A latest story for OpenSSL

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

cryptography mailing list
Eric Mill | 4 Apr 20:08 2014

Github Pages now supports SSL

I know most of the people on here have transcended the earthbound, maudlin Certificate Authority system, but as services-adopting-SSL-news goes, I'm particular excited about Github Pages, which started quietly supporting SSL for * domains a few weeks back.

I'm excited because Github Pages is powerful, verrrrry flexible, and totally free. AFAIK, it's the only major blog/web host that gives you free SSL, backed by a high quality CDN (since everything is static files).

To promote the occasion and nudge Github to take it further, I wrote up my own experience, and a little how-to for forcing redirects via Jekyll:

Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly.

cryptography mailing list
ianG | 4 Apr 15:09 2014


Has anyone looked at Tails?

 Crucial encryption tool enabled NSA reporting on shoestring budget

Big players in Snowden revelations publicly praise Tails, in hope of
gaining much-needed funding for the tool

While followers of the NSA leaks stories and everyday privacy
enthusiasts may be well acquainted with encryption tools like PGP, the
best-practice privacy tool — the operating system enabling much of the
Snowden leaks reporting — is known to few but experts.

On Wednesday, however, three key NSA revelation journalists (Laura
Poitras, Glenn Greenwald and Bart Gellman) spoke publicly about the
importance of Tails — a tool that forces privacy best-practices by
default. As Trevor Timm reported, it’s essentially the sine qua non of
reporting on sensitive stories. However, as Timm notes, the “vital” tool
“is incredibly underfunded. Tails’ 2013 expense report shows that they
only had an operating budget of around 42,000 euros, which is less than
$60,000.” In an effort to garner donations, the journalists spoke out
for the first time at the Freedom of the Press Foundation site about
Tails’ importance:

    Laura Poitras: “I’ve been reluctant to go into details about the
different steps I took to communicate securely with Snowden to avoid
those methods being targeted. Now that Tails gives a green light, I can
say it has been an essential tool for reporting the NSA story. It is an
all-in-one secure digital communication system (GPG email, OTR chat, Tor
web browser, encrypted storage) that is small enough to swallow. I’m
very thankful to the Tail developers for building this tool.”

    Glenn Greenwald: “Tails have been vital to my ability to work
securely on the NSA story. The more I’ve come to learn about
communications security, the more central Tails has become to my approach.”

    Barton Gellman: “Privacy and encryption work, but it’s too easy to
make a mistake that exposes you. Tails puts the essential tools in one
place, with a design that makes it hard to screw them up. I could not
have talked to Edward Snowden without this kind of protection. I wish
I’d had it years ago.”

Timm ran down the key aspects of how Tails renders best-practice privacy
communications a default for its users:

    It forces all of your web traffic through the Tor anonymity network,
so you don’t have to configure any of the settings on any program.
    It allows you to use GPG encryption when you are emailing and/or OTR
encryption while instant messaging, right out of the box.
    It allows journalists to work on sensitive documents, edit audio and
video, and store all their files encrypted.
    Critically, Tails never actually touches your hard drive and
securely wipes everything you’ve done every time you shut it down
(unless you specifically save it on an encrypted drive). This serves two
important purposes: first, it helps journalists who are operating in
environments or on networks that may already be compromised by
governments or criminals.

Natasha Lennard

Natasha Lennard is an assistant news editor at Salon, covering
non-electoral politics, general news and rabble-rousing. Follow her on
Twitter  <at> natashalennard, email nlennard@...
Nico Williams | 1 Apr 23:32 2014

Client-side Dual_EC prevalence? (was Re: Extended Random is extended to whom, exactly?)

On Mon, Mar 31, 2014 at 12:45 PM, Stephen Farrell
<stephen.farrell@...> wrote:
> The paper [2] also has more about exploiting dual-ec if you
> know a backdoor that I've not yet read really.

> [2]

That paper talks about servers.  What is the prevalence of Dual_EC on
the client-side of TLS?

Assuming most TLS usage involves RSA key transport -a fair assumption
given the well-noted non-use of PFS until recent times- the client's
RNG is more critical than the server's.

I realize that client-side prevalence is harder to measure.  Still,
since Dual_EC was in the Java and SChannel stacks, it seems reasonable
to conclude that client-side Dual_EC penetration was quite high at its
peak, but is that right?

ianG | 31 Mar 19:36 2014

Extended Random is extended to whom, exactly?

(Reuters) - Security industry pioneer RSA adopted not just one but two
encryption tools developed by the U.S. National Security Agency, greatly
increasing the spy agency's ability to eavesdrop on some Internet
communications, according to a team of academic researchers.

A group of professors from Johns Hopkins, the University of Wisconsin,
the University of Illinois and elsewhere now say they have discovered
that a second NSA tool exacerbated the RSA software's vulnerability.

The professors found that the tool, known as the "Extended Random"
extension for secure websites, could help crack a version of RSA's Dual
Elliptic Curve software tens of thousands of times faster, according to
an advance copy of their research shared with Reuters.

In a Pentagon-funded paper in 2008, the Extended Random protocol was
touted as a way to boost the randomness of the numbers generated by the
Dual Elliptic Curve.

But members of the academic team said they saw little improvement, while
the extra data transmitted by Extended Random before a secure connection
begins made predicting the following secure numbers dramatically easier.

"Adding it doesn't seem to provide any security benefits that we can
figure out," said one of the authors of the study, Thomas Ristenpart of
the University of Wisconsin.

Johns Hopkins Professor Matthew Green said it was hard to take the
official explanation for Extended Random at face value, especially since
it appeared soon after Dual Elliptic Curve's acceptance as a U.S. standard.

"If using Dual Elliptic Curve is like playing with matches, then adding
Extended Random is like dousing yourself with gasoline," Green said.

The NSA played a significant role in the origins of Extended Random. The
authors of the 2008 paper on the protocol were Margaret Salter,
technical director of the NSA's defensive Information Assurance
Directorate, and an outside expert named Eric Rescorla.

END of snippets, mostly to try and figure out what this protocol is
before casting judgement.  Anyone got an idea?