On 30/11/2009 22:47, Kyle Hamilton wrote:
On Mon, Nov 30, 2009 at 1:07 PM, Ian G<i...@iang.org> wrote:
I agree. It breaches that fundamental law of the Iang's mind-space: there
is only one mode, and it is secure. Break the law, time folds and inverts
on itself, and Mallory slips between your bytes.
'secure' is a state of mind, not too different from 'paranoid'. The
trade-off is in the amount of time you have to spend assessing
everything as a potential threat.
Indeed, the claim rests on an undefinition ;-)
Let me put it this way, the bottom-up target is to do whatever you can
with one mode. The top-down target is to do whatever you can to meet
the application need. With one mode.
Twitter was breached. Before they disabled renegotiation on their
servers, the status message POST update was POST [...], and then their
Basic-encoded username and password. Someone injected prior bytes
before allowing the renegotiation, and every time someone was
intercepted, that someone's status message changed to a whole bunch of
usernames and passwords.
I stand corrected! I heard it was demo'd, I didn't hear it was
breached? Was the attack more of a nuisance attack? How serious are
the damages?
...but that's a
bug in HTTP, and we don't talk about HTTP here.)
Well, we shouldn't do architecture here. Other parts, well said.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
