[ANNOUNCE] NSS 3.16.2 Release

The NSS Development Team announces the release of NSS 3.16.2. Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. New functionality: * DTLS 1.2 is supported. * The TLS application layer protocol negotiation (ALPN) extension is also supported on the server side. * RSA-OEAP i

Re: Road to RC4-free web (the case for YouTube without RC4)

- Original Message - > From: "Kurt Roeckx" > To: mozilla-dev-tech-cry...@lists.mozilla.org > Sent: Monday, 30 June, 2014 1:57:33 PM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On 2014-06-30 12:20, Hubert Kario wrote: > >> From: "Kurt Roeckx" > >> On 2014-06

Re: Road to RC4-free web (the case for YouTube without RC4)

- Original Message - > From: "Brian Smith" > To: "mozilla's crypto code discussion list" > > Sent: Monday, 30 June, 2014 12:23:41 AM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario wrote: > > > Because of that,

Re: Road to RC4-free web (the case for YouTube without RC4)

On 2014-06-30 12:20, Hubert Kario wrote: From: "Kurt Roeckx" On 2014-06-30 02:35, Hubert Kario wrote: I have to disagree here. Even 1024 bit DHE requires a targeted attack at ~80 bit complexity. Currently we see RC4 at around 56 bit, with a completely unoptimized attack... Do you have a refe

Re: Intent to unimplement: proprietary window.crypto functions/properties

Am 27.06.2014 18:32, schrieb Brian Smith: > However, I think that is a good idea anyway, because Firefox (and > Thunderbird) should be using the native OS for client certificates and > S/MIME certificates anyway. Additionally or exclusive? When I think of using smartcard-based client certificates

Re: Road to RC4-free web (the case for YouTube without RC4)

- Original Message - > From: "Kurt Roeckx" > To: mozilla-dev-tech-cry...@lists.mozilla.org > Sent: Monday, 30 June, 2014 10:56:13 AM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On 2014-06-30 02:35, Hubert Kario wrote: > >> The benefits of ECDHE outweigh the

Re: Intent to unimplement: proprietary window.crypto functions/properties

On Fri, Jun 27, 2014 at 6:32 PM, Brian Smith wrote: Hi > The issue is that the WebCrypto API uses a totally separate keystore from > the X.509 client certificate keystore (if it doesn't, it should be), and > the stuff that Red Hat does is about client certificates. AFAICT, WebCrypto > doesn't

Re: Road to RC4-free web (the case for YouTube without RC4)

On 2014-06-30 02:35, Hubert Kario wrote: The benefits of ECDHE outweigh the risks of using RC4, I have to disagree here. Even 1024 bit DHE requires a targeted attack at ~80 bit complexity. Currently we see RC4 at around 56 bit, with a completely unoptimized attack... Do you have a reference f