Forgot your password?
typodupeerror

Comment: Re:What about SSL certificates? (Score 3, Informative) 152

by Cruicky (#27879175) Attached to: Preparing To Migrate Off of SHA-1 In OpenPGP

The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.

I've been happily using SHA512 with a personal CA for the last year.

It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.

Comment: Re:This is complete BS, and is easy to test (Score 1) 374

by Cruicky (#27784905) Attached to: Forensics Tool Finds Headerless Encrypted Files

I just tried with a 2GB file from /dev/urandom and it was of course detected as headless encryption.

I then however tried with a file that was 2GB + 1 byte, and it was still seen as headless encryption. Based on the time taken for the program to think it's headless encryption probably means it's only scanning the first X bytes, so it's possible it's just an entropy test on the header area.

This is a bit like TCHunt, except TCHunt actually does do the mod 512 test.

Comment: SSL/TLS Client Certificates (Score 1) 208

by Cruicky (#26960919) Attached to: SSLStrip Now In the Wild

It is worth noting that sites that use client certificates are not affected by this, as SSLStrip cannot sign the CertificateVerify TLS message due to it not having a client certificate that would be accepted (you hope), therefore the exchange between SSLStrip and the real site would fail.

Granted you can still downgrade the session to HTTP (if you start from a HTTP site), present a fake site, and possibly obtain a password or other form of authentication token, but a valid client certificate would still be required for the authentication tokens to be of any use (assuming this is the only site where said authentication tokens get used).

Faking the real site would be difficult though, as you wouldn't be able to see it as the web server would never serve it to you as you don't have a valid client certificate to view the page.

"I have not the slightest confidence in 'spiritual manifestations.'" -- Robert G. Ingersoll

Working...