[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] A way to reduce service impersonation

To: Michael <strangerthanbland@xxxxxxxxx>
Subject: Re: [tor-talk] A way to reduce service impersonation
From: arrase <arrase@xxxxxxxxx>
Date: Wed, 26 Oct 2016 03:36:24 +0200
Cc: tor-talk@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 25 Oct 2016 21:36:49 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PP1g7THupo45KNu8I39Rz1TfrQeKLpz0cP0JZVCEeIc=; b=Rj1FgUzj1mn1Ge6DY+CVy7yKRghkkj+MIq/sH4yHlxhmBCZ6XTqNPknOdOeeLlBUCX QG/VDb9CUd7dHkTBYMI8gP6GJ4d26f+FI+nMKU9MVgmZRT1g42qsEo0YOQtoNeNpl14B 7dtPaWHWyu8FbZi2YraBHfGZj+olNuRcW7ftbxabZeFOeaOr6V6A2JqZGUp0S8kWvesB 0VDPZb+ZZIjbwsdmUJeVp6fte8VOOf3x7kta9ZNWipSKGd8KubutjntP/dZxlKBUkgXP iYzmsA40iytBgq5dHnuUFp17rltnm9ZN5GDBUzWdS0Aa4SDKkSo/XQnnuzeA/LXIk78O y0fg==
In-reply-to: <B48A5ED1-AB39-438D-963E-5771CC763A8B@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CADjgV3C9mXFSxogWquHy_h2K87Vb+C8HMK+ZZTg6S7BthTOCCA@mail.gmail.com> <CADjgV3BOchjij67ypOSMqFb_0DxJ2dcDRdLUw9Me=k8icZgVng@mail.gmail.com> <B48A5ED1-AB39-438D-963E-5771CC763A8B@gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

El 26 oct. 2016 3:17 a. m., "Michael" <strangerthanbland@xxxxxxxxx>
escribió:
>
> Well I took a look into the code, not my primary language but readable,
and have some concerns and some suggestions...
>
> # Concerns
>
> Opening signing up to an API is a very bad idea especially if the server
administrator is using keys vulnerable to "known word" attacks, below is a
link to the severity and key types effected.
>
> https://en.m.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity
>
> While sub key use may mitigate this; the whole concept of clients sending
data for servers to process is fraught with danger... I will confess that I
didn't read deep enough into the servers' side to inspect if the received
strings where being scrubbed, nor do I have the expertise to know what that
would look like in Python but I've enough knowledge to know that it's
though no matter the language

You're right , casually I have modified the algorithm a few hours ago for
that reason :).

I am in the process of developing the idea and all comments are welcome.

English is not my native language so I'll read the rest of your mail
tomorrow.

Greetings and good night :)
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] A way to reduce service impersonation
  - From: arrase
- Re: [tor-talk] A way to reduce service impersonation
  - From: arrase
- Re: [tor-talk] A way to reduce service impersonation
  - From: Michael

Prev by Author: Re: [tor-talk] ..... but i can dream
Next by Author: [tor-talk] ..... but i can dream
Previous by thread: Re: [tor-talk] A way to reduce service impersonation
Next by thread: Re: [tor-talk] A way to reduce service impersonation
Index(es):
- Author
- Thread