On Sun, Jan 8, 2012 at 11:01 AM, Rumoseh, Loros <rumosehlo...@postafiok.hu> wrote: > Good morning Everybody. > > Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the > CA/HTTPS modell on security side. That's why www.openbsd.org isn't > available over HTTPS [?].
What exactly is private on OpenBSD page to have it over https? ;-) > > ---off--- > Q2: Then why is: > https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=&passw=&func=lists-long-full &extra=misc > using an invalid certificate? :O > ---on--- Because services for certificates are mostly too much expensive without a reason. Doesn't provide real security and because OpenBSD is fun project so self-signed certificate is enough? > > ------------------------------------------------- > > The main questions/RFC's: > I recently heard about Convergence, the website that features a firefox > plugin (client code) and a notary (server code) is here: > http://convergence.io/ > > A starting video of this Idea from the Developer, Moxie Marlinspike (author > of sslstrip/sslsniff): > https://www.youtube.com/watch?v=Z7Wl2FW2TcA > [the main part is from 35m40sec, but the video is worth watching!] > > If there is no adobe flash installed on your machine, then visit this link: > https://addons.mozilla.org/en-US/firefox/search/?q=youtube+downloader&appver= 9.0.1&platform=linux > > About Moxie Marlinspike > https://www.blackhat.com/html/bh-us-11/bh-us-11-speaker_bios.html#Marlinspike > > Convergence: > It's explicitly not an SSL replacement. It's a replacement for CAs, with > the explicit design goal of not forcing some giant IPv6-like "change the > world" rollout. It's based in large part on earlier work on solving the SSH > Host Key validation problem - see > http://www.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_htm l/- > http://security.stackexchange.com/a/5968/2212 > > Q3: So what does the OpenBSD team think about this great [?] idea? Is it a > viable solution? Is this the future or just a dead end? > > ------------------------------------------------- > > ps.: Also URL's regarding this topic: > http://security.stackexchange.com/a/6780/2212 > http://security.stackexchange.com/a/10334/2212 > http://security.stackexchange.com/questions/9945/does-https-everywhere-defend s-me-against-sslsniff-like-attacks > http://unix.stackexchange.com/a/28288/6960 > > ------------------------------------------------- > > ps.2: > http://security.stackexchange.com/questions/9946/when-will-the-webbrowsers-ha ve-tls-1-2-support > http://security.stackexchange.com/questions/10481/next-microsoft-patch-tuesda y-include-beast-ssl-fix > > B B The TLS support for browsers right now is: > > B B B B IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel > B B B B IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured > B B B B Opera - 10.x supports TLS 1.0, 1.1, 1.2 > > B B I don't count older versions of any of these browsers, since people > really should have auto-update on. if they don't they've probably got > bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 ) > > B B B B Mozilla/Firefox - TLS 1.0 only > B B B B Chrome - TLS 1.0 only (though an update is rumoured) > B B B B Safari - TLS 1.0 > B B B B Cell phones - various support levels (webkit has tls 1.2 since Nov > 2010, but for individual phone browser implementations your mileage may > vary) > > ------------------------------------------------- > > Thank you for any comments on this idea/questions. > > Long live OpenBSD! :) > > Have a nice day! > > bye!
