A recent paper, which won an award, decided that the NSA has been capable of breaking some 1024-bit DH key exchange protocols for some time. (We already know 512-bit "export" keys are vulnerable.)
The Electronic Freedom Foundation has published advice on hardening your system to eliminate the most vulnerable protocols.
Long-term the solution will be to move beyond public keys of this length to 2048-bit or even 4096-bit keys. This may be a problem for older hardware, because of increased computational requirements. Even without running into these limitations we have the problem of vulnerable unpatched firmware in a high percentage of devices with Internet access.
I got the link from the RISKS news list, but now see there is an article on boing-boing.
hardening HTTPS
A common method to prevent your bicycle from being stolen in the Netherlands, is to have more than one lock on it. You have two, or sometimes three, of which at least one is capable of chaining your bike to something stationary.
This does not make it impossible to steal the bicycle, but it requires such an amount of time and effort to do so, that a thief will most likely rather choose an easier target.
Another method to prevent your bike from being stolen, is not to have a fancy, expensive, attractive bike, but a simple, cheap, somewhat unattractive, utilitarian bike.
It is much less likely to become a target for theft, if it is less desireable.
Once again, it is still possible to steal the bike, but less likely to happen.
I am using this analogy, because I feel that perhaps, futurely, using older hardware could very well make you a less desireable target, because it is perhaps assumed there is very little of value to be had.
Of course, you'd still do well carrying a couple of locks.
This does not make it impossible to steal the bicycle, but it requires such an amount of time and effort to do so, that a thief will most likely rather choose an easier target.
Another method to prevent your bike from being stolen, is not to have a fancy, expensive, attractive bike, but a simple, cheap, somewhat unattractive, utilitarian bike.
It is much less likely to become a target for theft, if it is less desireable.
Once again, it is still possible to steal the bike, but less likely to happen.
I am using this analogy, because I feel that perhaps, futurely, using older hardware could very well make you a less desireable target, because it is perhaps assumed there is very little of value to be had.
Of course, you'd still do well carrying a couple of locks.
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
The business with SHA2 is directed to a different purpose than the protocols using ephemeral DH public keys to set up key exchange for HTTPS.
I'm sorry the whole subject is so confusing, but I'm afraid this is because quite a number of people want the requirements for secure computer use to be confusing. Their ideal situation is one where you are completely vulnerable to them, but not to anyone else.
The bicycle analogy fails when it is not your computer that is being stolen but information, such as that needed to access your bank account. Now, if you are completely worthless you might be safe.
I'm sorry the whole subject is so confusing, but I'm afraid this is because quite a number of people want the requirements for secure computer use to be confusing. Their ideal situation is one where you are completely vulnerable to them, but not to anyone else.
The bicycle analogy fails when it is not your computer that is being stolen but information, such as that needed to access your bank account. Now, if you are completely worthless you might be safe.
They don't want the account details to steal from it; they want it to launder money. Banks notify the authorities if there are large transactions so the thieves want lots of accounts that they can shift smaller amounts through.
I got investigated when one of my private pension funds matured and transferred a large amount into my bank. It only sat there for a few minutes while I re-invested it into different funds with various access times and interest rates.
I got investigated when one of my private pension funds matured and transferred a large amount into my bank. It only sat there for a few minutes while I re-invested it into different funds with various access times and interest rates.
"Just think of it as leaving early to avoid the rush" - T Pratchett