This is true but how long did it take for the whole wosign and startcom debacle to be noticed by mozilla? How quickly can we respond to a rogue CA? Even if a CA is found to be negligent you’d still have to wait for updates to the browsers to distrust their certs and for people to take the updates. There is potential there to be concerned about IMO.
This is largely paranoia based on not knowing how various government departments work.
What entity? NSA doesnt control certificates. CAs as trusted based on trust, their dropped when that trust is lost, there’s examples of this as I pointed out.
This is again brought up on not understanding how these things have to be done. You cant just dump a CA, this is the same with everything, just like you can’t just apply a security patch without testing.
This isn’t consumer end things that go on, these are business and infrastructure things. You don’t just turn something off.
Using “how long did it take” for something to get noticed isn’t a good reason not to use something either. Because there’s always a gap between attack, detection, and response. That doesnt mean you stop using the security, that might mean that response time need improved, but that isn’t what hes saying, hes saying NSA designed SHA so you cant use encryption.
edit: In fact, I don’t think he brought u your concern at all. response time to bad CAs is a real issue, he never touched it really.
1 Like
To be clear here, I am not defending lunduke at all, nor am I saying we should stop using certs to secure the sites we interact with. I am saying that while his video is very “tin foil hat” in nature he does bring up valid issues.
In this video no, but I think he did touch on that when it happened originally. Hes been saying the same thing in various click bait ways for a while now.
Bruce Schneier mentioned that one of the most comforting things in all of the documents leaked by Snowden is how the attacks are performed. They’re all ways to get around SSL/TLS security. Which means, as Bruce says, “the math works.”
1 Like
I will have to settle for …Lets see how this plays out.
1 Like
Since he stopped at Jupiter Broadcasting I think he’s been losing it. I’ll have to watch this later.
This reminds me of a more concrete HTTPS concern…
Does anyone know if OpenSSL still has these malloc issues?
At 6:30
I know a lot of effort went into revamping OpenSSL after heartbleed, but not sure to what extend they overhauled it.
Edit
The TLDR of that presentation (from 2014 in the fallout of heartbleed) is that OpenSSL is/was essentially flawed because of poor maintenance.
1 Like
From what I heard, it wasn’t just poor maintenance, it’s that the code owners were actively hostile to assistance.
Between that and the fact that they demanded that OpenSSL hold on to oooooold encryption standards, but never got around to maintaining the code, tells me that I probably won’t be trusting OpenSSL a whole heck of a lot any time soon.
I believe LibreSSL is default on some of the BSDs, and I haven’t run into any issues with it as a drop-in replacement for OpenSSL.
2 Likes
How long ago was that?
I remember something about Google, Cisco and other major players dumping a bunch of resources into revamping OpenSSL at the same time as LibreSSL was being developed. I never heard how that turned out or what concrete changes were made.
I’m not savvy enough to go dig through all that code to figure it out…
Considering his Twitter replies, I’m inclined to believe he makes these just for the attention and to spread his name and get the clicks and ad revenue.
Occasionally he does have a good episode though. The last one I liked he had the guy who made ReDOX OS on. That was really cool.
That was during the whole Heartbleed thing, as people were trying to figure out how such a thing could happen. It turned out that there were never more than a couple of people from the Open Source community at large helping out with OpenSSL. Initially people thought that this was because cryptography was hard.
I imagine it would be difficult for the maintainers of any project to turn their noses up to dedicated resources from Google and Cisco.
Ultimately I’m certain OpenSSL is in a better position than it was after Heartbleed. But unfortunately it took Heartbleed to get it to where it is.
1 Like
Yeah, it’s pretty disgusting. He seems to enjoy just being an ignorant d-bag.
"State my concerns with a communication protocol… whatch people go insane.
Maybe next week I’ll talk about how I don’t really care for some of the bread options at @SUBWAY. That’ll really get people worked up!"
“All the dopest Security Editors for @ZDNet and @CBS use a @Gmail account as their primary email.”
And his primary platform is YouTube. What an asshat.
Can’t wait for the slew of WordPress, Ghost, and MyPHP CMS to spring up without encryption. Super stoked about the 2018 password list.
How much of a process is this? My understanding is that you’d need to compile Apache (for instance) to use LibreSSL over OpenSSL. Is that the case?
Yeah, I did not make it through half of this garbage … and I know nothing of those standards.
First his UFO series and now shit like this…
I became a patron for his W3C stuff but I guess I’ll pull that and use it … any other way really.
I like the guy but not using encryption is something I do not agree with.
1 Like
I did the same thing and watched the show for awhile after that but he triggers me every week on at least something so I unsubbed ages ago.
Y’know, I haven’t recompiled Apache (or anything, really). It does make me wonder if the couple of Apache instances I have are running LibreSSL. My area of interest has been more OpenVPN recently. At the command line, using OpenSSL and LibreSSL is basically indistinguishable. But I just so happened to be planning on setting up an environment with Apache. So I will report back later tonight.
Yeah, that was my concern. Not really sure how to confirm which one is actually in use by the application.
Not sure if it’s helpful for you, but I found this:
2 Likes
Well, if you don’t install OpenSSL, or remove it after the OS is installed, then you know. 
1 Like