[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21 Aug 2013, at 23:05, Simon Avery wrote: > Encryption's useful, of course it is, but it's vulnerable. Although we note that a certain resident of the Ecuadorian embassy in London put his "insurance" file out to anyone using AES256, and no one is claiming any success, although even if they did it might pay to keep quiet if you can bust aes256. It is of course vulnerable, and crypto systems tend to slowly degrade as people find the first statistical weakness, and the mathematicians tug at it for a few years. The top of my list of crypto worries is RC4 because a lot of us went that way when BEAST arrived, and probably a lot of us (myself included) ought to be revisiting that. It is taking eternity for the free software world to get to TLS 1.2 or better (well for the big distros and browsers to switch to 1.0.1d or later of openssl, technically the software all already exists, it just needs to be aggregated into a working system for normal folk to use). Microsoft are there already. Bad Apple is probably going to tell us he has packages for everything in every major distro built with current openssl.... there are ways and means but until it is the default and in everything there will be swathes of bad practice (and even when it is the default since we've all overridden the default Apache ssl.conf now with our own doubtful preferred lists of ciphers to use it'll remain till we all fix it up manually. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq