[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Encrypted Web Pages?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Encrypted Web Pages?
From: Martin Fick <mogulguy@xxxxxxxxx>
Date: Tue, 18 Dec 2007 08:50:22 -0800 (PST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 18 Dec 2007 11:50:36 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=QaNqNdmF4/8PuvNfvIJCzTbXFRXROxQqttYg4BViIMPUJX73qfD42HjFhKkeUHqS8wf9LZO1T34i3+eeNMZ/EvK08+d3LvYIfT8j0HFX9mEka7v+/ED9c7aG0tmVnn1/IqpI5g3JGePvGDAqnl44KZhRJpDpeB4ryO/DyE7fD6Y=;
In-reply-to: <476759D5.6050501@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

--- "Vlad \"SATtva\" Miller" <sattva@xxxxxxxxx> wrote:
> Martin Fick wrote on 18.12.2007 01:05:
> > --- "Vlad \"SATtva\" Miller" <sattva@xxxxxxxxx>
> wrote:

> What if on sudden he becomes aware of one of the 
> recipient key's compromise? Now
> sender needs to decrypt the whole site and
> re-encrypt it to another set of public keys, 
> excluding the compromised one to not
> let an attacker to lay his hands on sensitive 
> data (if it's not too late already). Problems
> arises:

No need to decrypt anything, simply destroying 
the compromised data is enough in my case.  The
only compromised data is the data encrypted with
the compromised key.

...
> If my life was at stake, I wouldn't trust it to that
> sort of things.

I depends on what puts your life at stake, 
compromised data or lost data?  If the later, 
than certainly such a system is not for you
(but neither are most alternate solutions), 
if the former I wouldn't trust any other type
of system!

> And finally there is a gap in the threat model. If
> we treat webserver as
> untrusted (or even malicious) then we can't discard
> a trivial option of
> DoS attack: server (or hosting provider) may simply
> erase the contents
> of the website or block access for legitimate users.

Not a major concern in my threat model.  Lost data is
not compromised data.  This can easily be coded around
with redundant separate isolated secret hosting.

-Martin

      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

References:
- Re: Encrypted Web Pages?
  - From: Vlad \"SATtva\" Miller

Prev by Author: Re: Encrypted Web Pages?
Next by Author: Snail Mail Onion Routing
Previous by thread: Re: Encrypted Web Pages?
Next by thread: Re: Encrypted Web Pages?
Index(es):
- Author
- Thread