[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] A way to reduce service impersonation
El 26 oct. 2016 3:17 a. m., "Michael" <strangerthanbland@xxxxxxxxx>
escribió:
>
> Well I took a look into the code, not my primary language but readable,
and have some concerns and some suggestions...
>
> # Concerns
>
> Opening signing up to an API is a very bad idea especially if the server
administrator is using keys vulnerable to "known word" attacks, below is a
link to the severity and key types effected.
>
> https://en.m.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity
>
> While sub key use may mitigate this; the whole concept of clients sending
data for servers to process is fraught with danger... I will confess that I
didn't read deep enough into the servers' side to inspect if the received
strings where being scrubbed, nor do I have the expertise to know what that
would look like in Python but I've enough knowledge to know that it's
though no matter the language
You're right , casually I have modified the algorithm a few hours ago for
that reason :).
I am in the process of developing the idea and all comments are welcome.
English is not my native language so I'll read the rest of your mail
tomorrow.
Greetings and good night :)
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk