Re: [tlug] Good Overview Of What Is Still Secure?

[Darren Cook <darren@example.com>]

>>  > Any suggestions for a good, up to date article that describes what is
>>  > potentially compromised, and what is still secure?
>>
>> Not off hand.  The RISKs folks, Bruce Schneier's blog, stuff like that
>> would be where I'd look.
> 
> Also this http://blog.cryptographyengineering.com/2013/09/on-nsa.html,
> the whole blog is worth reading.
> ...
> https://www.imperialviolet.org/2013/06/27/botchingpfs.html

Thanks (and to Stephen).

I spent some time yesterday working through these; also the slashdot
thread [1].
I got a good idea, but the dust on the conclusions hasn't settled yet
(e.g. the imperialviolet page says how much better ECDHE is than DHE,
but the "EC" is the elliptic curves that hackers might have a compromise
for).

Darren


[1]:
http://yro.slashdot.org/story/13/09/05/1951204/nsa-foils-much-internet-encryption
(I found this useful for pointing out that the CAs don't get the private
keys, it is all kept browser-side, and also that a man-in-the-middle
attack would be too easily noticed.)