Become a fan of Slashdot on Facebook


Forgot your password?

Comment Re:What about SSL certificates? (Score 3, Informative) 152

The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.

I've been happily using SHA512 with a personal CA for the last year.

It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.

Comment Re:This is complete BS, and is easy to test (Score 1) 374

I just tried with a 2GB file from /dev/urandom and it was of course detected as headless encryption.

I then however tried with a file that was 2GB + 1 byte, and it was still seen as headless encryption. Based on the time taken for the program to think it's headless encryption probably means it's only scanning the first X bytes, so it's possible it's just an entropy test on the header area.

This is a bit like TCHunt, except TCHunt actually does do the mod 512 test.

Comment SSL/TLS Client Certificates (Score 1) 208

It is worth noting that sites that use client certificates are not affected by this, as SSLStrip cannot sign the CertificateVerify TLS message due to it not having a client certificate that would be accepted (you hope), therefore the exchange between SSLStrip and the real site would fail.

Granted you can still downgrade the session to HTTP (if you start from a HTTP site), present a fake site, and possibly obtain a password or other form of authentication token, but a valid client certificate would still be required for the authentication tokens to be of any use (assuming this is the only site where said authentication tokens get used).

Faking the real site would be difficult though, as you wouldn't be able to see it as the web server would never serve it to you as you don't have a valid client certificate to view the page.

You have mail.