[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] A way to reduce service impersonation

El 26 oct. 2016 3:17 a. m., "Michael" <strangerthanbland@xxxxxxxxx>
> Well I took a look into the code, not my primary language but readable,
and have some concerns and some suggestions...
> # Concerns
> Opening signing up to an API is a very bad idea especially if the server
administrator is using keys vulnerable to "known word" attacks, below is a
link to the severity and key types effected.
> https://en.m.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity
> While sub key use may mitigate this; the whole concept of clients sending
data for servers to process is fraught with danger... I will confess that I
didn't read deep enough into the servers' side to inspect if the received
strings where being scrubbed, nor do I have the expertise to know what that
would look like in Python but I've enough knowledge to know that it's
though no matter the language

You're right , casually I have modified the algorithm a few hours ago for
that reason :).

I am in the process of developing the idea and all comments are welcome.

English is not my native language so I'll read the rest of your mail

Greetings and good night :)
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to