Google making SSL changes, other sites quiet
How many sites other than Google (mis)use TLS in this way? Be afraid.
Saturday, August 23, 2008
Tuesday, July 01, 2008
ratproxy unleashed
Google just released their internal tool for passive web security assessment. While it has the unfortunate name ratproxy, it looks, frankly, badass. If you care about the security of your site (and even if you don't, your users probably do), you should consider making ratproxy a regular part of your secure development process.
Sunday, June 15, 2008
What not to do, part 2
As expected, there are many TLS sites using keys generated using the flawed, Ubuntu version of OpenSSL. Netcraft has the latest.
Thursday, June 12, 2008
Selecting cryptographic key sizes
Selecting cryptographic key sizes is a valuable reference for estimating the security margin for algorithms and key sizes and is deliciously applicable to TLS configuration choices.
A few tasty tidbits:
Does anyone seriously believe that published attacks represent the state of the art? It may safely be assumed that unpublished work is many years ahead of what the public at large gets to see: a public announcement that a system is broken provides at best a rather trivial upper bound – and a very simple-minded one, in our opinion – for the date that the system became vulnerable.
According to Table 1, 512-bit RSA keys should not have been used beyond 1986.
According to Table 1 usage of 768-bit RSA keys can no longer be recommended. Even in the cost-equivalent model 768-bit RSA keys will soon no longer offer security comparable to the security of the DES in 1982.
A few tasty tidbits:
Does anyone seriously believe that published attacks represent the state of the art? It may safely be assumed that unpublished work is many years ahead of what the public at large gets to see: a public announcement that a system is broken provides at best a rather trivial upper bound – and a very simple-minded one, in our opinion – for the date that the system became vulnerable.
According to Table 1, 512-bit RSA keys should not have been used beyond 1986.
According to Table 1 usage of 768-bit RSA keys can no longer be recommended. Even in the cost-equivalent model 768-bit RSA keys will soon no longer offer security comparable to the security of the DES in 1982.
SNI is goodness
SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls.
I encourage you to try it out. I have no experience with mod_gnutls, but gnutls is top notch and 80% less code than mod_ssl is a good thing.
I encourage you to try it out. I have no experience with mod_gnutls, but gnutls is top notch and 80% less code than mod_ssl is a good thing.
Subscribe to:
Posts (Atom)
