Sorry for the basic question but is Freedombox considered to be a collection of hardware or software or is it the name of the project itself?
Q #2 - Would it be essentially impossible or completely impractical for the freedombox to contain only free software, the firmware, drivers, algorithms, code, everything free? The device cannot be secured if it contains any non free software(code, firmware, libraries, anything) right? Q #3 - Does the Free Software Foundation approve of the Freedombox? Again, not an expert in this subject at all, but since we are talking about security I wanted to bring up WEP. My limited understanding of WEP is that it was an insecure encryption method used a decade or more ago and is still offered on many routers. The vulnerability as I understand it was that the router would broadcast part of the key itself along with something else at a certain interval, I would guess many times per second. After a short while, the router would broadcast a different part of the key and then eventually if you listened long enough you would have all the parts to the key. During the broadcast of these key pieces, was the order of the key characters preserved so that assembling the original key was a relatively simple matter if you listened long enough? If the answer to that is yes, is the reason that this extremely obvious vulnerability was not discovered because the algorithm used and/or the code was not made available for the public to view? It almost seems like an intentional hole in the security. -----Original Message----- From: Freedombox-discuss [mailto:freedombox-discuss-bounces+cgw993=aol....@lists.alioth.debian.org] On Behalf Of Sandy Harris Sent: Friday, September 13, 2013 4:09 PM To: freedombox list Subject: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox Jonas Smedegaard <[email protected]> wrote: > Would be nice if those knowledgeable about crypto could propose a > shortlist of purposes, and corresponding CAs and cipher suites. I see no reason offhand for a Box to trust any CA. That is a problem for the browsers, not a server. To identify the box to browsers, we could create a Box project CA, get certs from some existing CA, or use self-signed certs. I'd favour the latter because it is simpler, but then we need to document a requirement that browsers check for cert changes. Without that check, self-signed certs can be replaced by an attacker. As for cipher suites, we should very strongly prefer ones that offer perfect forward secrecy: https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-import ant-web-privacy-protection The obvious cipher to use is AES, but it would be preferable to provide some other options as well. "When asked to implement AES, the implementer might include the other finalists - Twofish, Serpent. RC6 and MARS - as well. This provides useful insurance against the (presumably unlikely) risk of someone finding a good attack on AES. Little extra effort is required since open source implementations of all these ciphers are readily available ... All except RC6 have completely open licenses." http://en.citizendium.org/wiki/Block_cipher#The_AES_generation The obvious hash to use is SHA-2, probably along with the plug-in compatible SHA-3. > Anyone knowledgeable about crypto that can help out? See also old discussion in this thread, and likely elsewhere too: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-April/00143 9.html _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
