[Discuss] KeePassX
Kent Borg
kentborg at borg.org
Wed Aug 14 11:53:08 EDT 2013
On 08/14/2013 10:03 AM, Richard Pieri wrote:
> Certificate + handshake = session key => decrypted session in real
> time. Any user, any session, any time, any reason. No cryptanalysis
> needed. No brute force needed.
Yes, if the communications uses a broken (lack of) key exchange.
Stupidly, SSL only recently got improved to support
perfect-forward-security, Safari and Internet Explorer don't really
support it, and the PRISM companies, coincidentally, don't support it.
The good news is that a third of Firefox, Crome, and Opera SSL traffic
uses good key exchange and not susceptible to passive snooping or
after-the-fact decryption.
I didn't realize that SSL was so stupid. Rather important technology
was left out of SSL, even though it was already two years old at that
point. Grrr.
An interesting article on this:
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
The fact that the traffic with the PRISM companies allows this easy
decryption underlines that efficiencies matter for the NSA. Every
monkey wrench helps...
-kb
More information about the Discuss
mailing list