Good morning Everybody. Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the CA/HTTPS modell on security side. That's why www.openbsd.org isn't available over HTTPS [?].
---off--- Q2: Then why is: https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=&passw=&func=lists-long-full&extra=misc using an invalid certificate? :O ---on--- ------------------------------------------------- The main questions/RFC's: I recently heard about Convergence, the website that features a firefox plugin (client code) and a notary (server code) is here: http://convergence.io/ A starting video of this Idea from the Developer, Moxie Marlinspike (author of sslstrip/sslsniff): https://www.youtube.com/watch?v=Z7Wl2FW2TcA [the main part is from 35m40sec, but the video is worth watching!] If there is no adobe flash installed on your machine, then visit this link: https://addons.mozilla.org/en-US/firefox/search/?q=youtube+downloader&appver=9.0.1&platform=linux About Moxie Marlinspike https://www.blackhat.com/html/bh-us-11/bh-us-11-speaker_bios.html#Marlinspike Convergence: It's explicitly not an SSL replacement. It's a replacement for CAs, with the explicit design goal of not forcing some giant IPv6-like "change the world" rollout. It's based in large part on earlier work on solving the SSH Host Key validation problem - see http://www.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/- http://security.stackexchange.com/a/5968/2212 Q3: So what does the OpenBSD team think about this great [?] idea? Is it a viable solution? Is this the future or just a dead end? ------------------------------------------------- ps.: Also URL's regarding this topic: http://security.stackexchange.com/a/6780/2212 http://security.stackexchange.com/a/10334/2212 http://security.stackexchange.com/questions/9945/does-https-everywhere-defends-me-against-sslsniff-like-attacks http://unix.stackexchange.com/a/28288/6960 ------------------------------------------------- ps.2: http://security.stackexchange.com/questions/9946/when-will-the-webbrowsers-have-tls-1-2-support http://security.stackexchange.com/questions/10481/next-microsoft-patch-tuesday-include-beast-ssl-fix The TLS support for browsers right now is: IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured Opera - 10.x supports TLS 1.0, 1.1, 1.2 I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 ) Mozilla/Firefox - TLS 1.0 only Chrome - TLS 1.0 only (though an update is rumoured) Safari - TLS 1.0 Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary) ------------------------------------------------- Thank you for any comments on this idea/questions. Long live OpenBSD! :) Have a nice day! bye!
