Date: Tue, 12 Jul 2016 12:59:35 +0300 From: Daniel Kalchev <daniel@digsys.bg> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> In-Reply-To: <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > On 12.07.2016 г., at 12:12, Matthew Seaman <matthew@FreeBSD.org> wrote: > > I'm also curious as to how far these regulations are supposed to extend. > Presumably traffic which is merely transiting Russian territory isn't > covered, at least in a practical sense. How about people from Russia > accessing foreign websites? I can't see any of the big Internet players > implementing GOST in any locations outside Russia any time soon. > Neither would I as a non-Russian have GOST capabilities client-side, so > what happens if I go and look at say a YandX website over HTTPS? Putin > and his advisors aren't stupid, and they'd already have considered all > this; plus, as you say, the timetable is clearly impossible; so there > must be something else going on here. The standard HTTPS implementation is already sufficiently broken, with the door wide open by the concept of “multiple CAs”. The protocol design is flawed, as any CA can issue certificate for any site. Applications are required to trust that certificates, as long as they trust the CA that issued them. It is trivial to play MTIM with this protocol and in fact, there are commercially available “solutions” for “securing one’s corporate network” that doe exactly that. Some believe this is with the knowledge and approval of the corporation, but who is to say what the black box actually does and whose interests it serves? There is of course an update to the protocol, DANE, that just shuts this door off. But… it faces heavy resistance, as it’s acceptance would mean the end of the lucrative CA business and the ability to intercept “secure” HTTPS communication. Those relying on the HPPTS flaws will never let it become wide spread. In summary — anyone can sniff HTTPS traffic. No need for any cipher backdoors here. Nor any need for GOST to be involved. > > Of course, now there's fairly good evidence that there's some sort of > backdoor in the GOST ciphers, all bets are off on how long it will be > until they get broken in a very public manner. > One can say the same for any other crypto. Plus, for some ciphers there is already evidence.. yet they are still in use. But, a good show is always worth it. Let’s watch for those heroes. :) Daniel [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhL+XAAoJEDN1EDx7HoqiCEkP/2J5YT+pQChuqAP2N5sS6+ta f5yg/RZdd4eepqiryB2/YMoNcFGpQUQ1Wx2DRWgkXcaWW1k9kqSdWsrpP+ISiwJ+ 7M+s6x0cW4HTTmQw0ZGthuAlp/aeSt/8iVOmEG4sv/ZerAcrIBKLfksfS32PAul0 nx3A7IkxBYFKJKSz/3bftMUP8/hXG/SDmOip4y+bQPVd5UXUrXTRUKnGE7NA3t6+ oPoq93q03Phk/6jVHQl6fl4i7ijoAhz5U224MjGCDcwLql5H7ZAcsrDS6p11y80H gUE4C/yeljt32WofkYLF0gOrpAE6ypVcpbnR+48Hu0scRLAODGZX50mm4YHJkrh6 yx3XIFUFKX8763qBriquLGDnKCXs5irTqK7ZpRXLHqd61tSd1xNveIPfJTxRfBGH wkKcAXoP6i0cLfu2ER8qpqbCmojzT+IfK0OR4R9X0ccRnEO8UhUHs5fSROxsil66 3fnNsqDdqdrxvXmPlsk7WkxnvPlbldzuvdBcPIxpjblBfomb/5+6yQDyCANXRaea XupZKs7/kvQZHz+x4dV+R3MWXkz9DK3xmeUsb30Q8nzoxxRdcRQ0nY3nwr/PB7c5 xFRy8ayp5gWTn9sP1bilwZXsccZ0GBA7mD0psa1MZwSarvGLUjyYTMhDbOdm0hv5 acNfXP0JTFr3weIxyy51 =Z5Sq -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C2F596E2-B417-4DC2-A195-60CFAB6399F5>