[Cryptography] Kali Linux security is a joke!
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Mar 23 03:53:59 EDT 2015
Danny Mitchell <fishcustard at gmail.com> writes:
>The problem is that there isn't really anything secure about them. The NSA
>and its allies routinely intercept such connections -- by the millions.
>According to an NSA document, the agency intended to crack 10 million
>intercepted https connections a day by late 2012.
That doesn't really tell you much about what they're doing though. They could
be taking advantage of the endless EasySocketFactories and related things that
don't validate connection security (there's bound to be 10 million Android and
iOS-app TLS transactions per day doing that), or given the year, take
advantage of goto fail and its GnuTLS equivalent, or steal the RSA key for a
site that doesn't use DH so they can later decrypt all TLS sessions, or
whatever. If you use DH and validate parameters (and as a corollary use a TLS
implementation that's done right) then there's no reason to suspect TLS isn't
secure.
Peter.
More information about the cryptography
mailing list