Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:What about SSL certificates? (Score 3, Informative) 152

by Cruicky (#27879175) Attached to: Preparing To Migrate Off of SHA-1 In OpenPGP

The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.

I've been happily using SHA512 with a personal CA for the last year.

It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.

Comment: Re:This is complete BS, and is easy to test (Score 1) 374

by Cruicky (#27784905) Attached to: Forensics Tool Finds Headerless Encrypted Files

I just tried with a 2GB file from /dev/urandom and it was of course detected as headless encryption.

I then however tried with a file that was 2GB + 1 byte, and it was still seen as headless encryption. Based on the time taken for the program to think it's headless encryption probably means it's only scanning the first X bytes, so it's possible it's just an entropy test on the header area.

This is a bit like TCHunt, except TCHunt actually does do the mod 512 test.

Comment: SSL/TLS Client Certificates (Score 1) 208

by Cruicky (#26960919) Attached to: SSLStrip Now In the Wild

It is worth noting that sites that use client certificates are not affected by this, as SSLStrip cannot sign the CertificateVerify TLS message due to it not having a client certificate that would be accepted (you hope), therefore the exchange between SSLStrip and the real site would fail.

Granted you can still downgrade the session to HTTP (if you start from a HTTP site), present a fake site, and possibly obtain a password or other form of authentication token, but a valid client certificate would still be required for the authentication tokens to be of any use (assuming this is the only site where said authentication tokens get used).

Faking the real site would be difficult though, as you wouldn't be able to see it as the web server would never serve it to you as you don't have a valid client certificate to view the page.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...