|
thaidn
@
XorNinja
|
|
XorOps at a high-wage Walmart, contributing to Tink and Wycheproof. SSL attack trilogy: BEAST, CRIME, PODDLE. Opinions are Alice's and Bob's.
|
|
|
924
Tweetovi
|
256
Pratim
|
1.850
Osobe koje vas prate
|
| Tweetovi |
|
thaidn
@XorNinja
|
1. velj |
|
focustaiwan.tw/society/202002…. Flights from/to Taiwan are also unbanned.
Safe flights home my friends! twitter.com/aaronMCN/statu…
|
||
|
|
||
|
thaidn
@XorNinja
|
19. sij |
|
It was a long time ago, and it wasn't my interview, but I was shadowing a coworker who asked the interviewee "If you were an animal what would you be?" I was like, WTF, why am I even here?! twitter.com/harriepw/statu…
|
||
|
|
||
|
thaidn
@XorNinja
|
16. sij |
|
I can't just fathom the fact the key to the security of the whole Internet is 1. Think about it!!
|
||
|
|
||
|
thaidn
@XorNinja
|
15. sij |
|
@veorq CVE-2020-0601 supports the Too Much Crypto camp, and should be branded Too Many Certs, Ain't Nobody Got Time for Verifying Them All!
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Pascal Junod
@cryptopathe
|
15. sij |
|
History repeats itself: after padding oracles, another attack discovered by Serge becomes a practical threat many, many years after its publication. twitter.com/CasCremers/sta…
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Cas Cremers
@CasCremers
|
15. sij |
|
1. Find an ecc root cert C
2. Create C' with the same public key and curve but set the generator to the public key of C
3. Create a normal signing cert C'' with key pair (pk'',sk'') and sign software/cert with sk''
4. Sign C'' with sk=1
5. Ship software/cert with C'' and C'
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Saleem Rashid
@saleemrash1d
|
15. sij |
|
CVE-2020-0601 pic.twitter.com/8tJsJqvnHj
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Zest
@zestexposed
|
15. sij |
|
|
||
|
thaidn
@XorNinja
|
15. sij |
|
Because ECDSA verification is slow?
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Scott Arciszewski
@CiPHPerCoder
|
14. sij |
|
Thomas's write-up on HN, for anyone following this thread: news.ycombinator.com/item?id=220486…
|
||
|
|
||
|
thaidn
@XorNinja
|
14. sij |
|
There must be something that triggered me to hunt for these bugs. I can't recall that event, but my search yielded nothing interesting
|
||
|
|
||
|
thaidn
@XorNinja
|
14. sij |
|
I mean UnnamedCurve
|
||
|
|
||
|
thaidn
@XorNinja
|
14. sij |
|
It already has. Search for NamedCurve in github.com/google/wychepr…
|
||
|
|
||
|
thaidn
@XorNinja
|
14. sij |
|
I can't remember why, but I spent some time finding bad libraries that blindly trust specified curve parameters. I couldn't find anything. Wycheproof also has test vectors. "NamedCurve" github.com/google/wychepr…
|
||
|
|
||
|
thaidn
@XorNinja
|
14. sij |
|
Wow. So this is not a boring parsing bug. My guess is that Windows blindly trusted curve parameters from a rogue certificate. This is interesting because tools.ietf.org/html/rfc5480 states that " This choice [specified curve parameters] MUST NOT be used" twitter.com/NSAGov/status/…
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Lea Kissner
@LeaKissner
|
14. sij |
|
But the fundamental reason why I'm worried about shaking the ads ecosystem too hard, too fast: news media largely relies on ads right now and their business models are already very shaky.
If media can't make money, we're left with media that doesn't need to make money.
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Justin Schuh 🤬
@justinschuh
|
14. sij |
|
Just to be very clear on this point: This is not about blocking a subset of 3P cookies via lists and/or heuristics. This announcement is that we are going to remove 3P cookies and related tracking mechanisms entirely. twitter.com/justinschuh/st…
|
||
|
|
||
| thaidn proslijedio/la je tweet | ||
|
Nick Sullivan
@grittygrease
|
10. sij |
|
One way to create secure and private ads is to remove tracking altogether. Pay for placement, like in newspapers. The societal problems from online advertising come from the fact that it's extra profitable and effective to use personal information for targeting.
|
||
|
|
||
|
thaidn
@XorNinja
|
9. sij |
|
Great question. Bob must send Alice a single bit.
|
||
|
|
||
|
thaidn
@XorNinja
|
9. sij |
|
To celebrate #realworldcrypto and HACS, here's the latest installation of the Internet of broken protocols series vnhacker.blogspot.com/2020/01/the-in…
|
||
|
|
||