Date: Tue, 12 Jul 2016 12:59:35 +0300 From: Daniel Kalchev <daniel@digsys.bg> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> In-Reply-To: <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_7ACC6073-ED50-4B80-84A3-140601E04D97 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 12.07.2016 =D0=B3., at 12:12, Matthew Seaman <matthew@FreeBSD.org> = wrote: >=20 > I'm also curious as to how far these regulations are supposed to = extend. > Presumably traffic which is merely transiting Russian territory isn't > covered, at least in a practical sense. How about people from Russia > accessing foreign websites? I can't see any of the big Internet = players > implementing GOST in any locations outside Russia any time soon. > Neither would I as a non-Russian have GOST capabilities client-side, = so > what happens if I go and look at say a YandX website over HTTPS? = Putin > and his advisors aren't stupid, and they'd already have considered all > this; plus, as you say, the timetable is clearly impossible; so there > must be something else going on here. The standard HTTPS implementation is already sufficiently broken, with = the door wide open by the concept of =E2=80=9Cmultiple CAs=E2=80=9D. The = protocol design is flawed, as any CA can issue certificate for any site. = Applications are required to trust that certificates, as long as they = trust the CA that issued them. It is trivial to play MTIM with this protocol and in fact, there are = commercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring = one=E2=80=99s corporate network=E2=80=9D that doe exactly that. Some = believe this is with the knowledge and approval of the corporation, but = who is to say what the black box actually does and whose interests it = serves? There is of course an update to the protocol, DANE, that just shuts this = door off. But=E2=80=A6 it faces heavy resistance, as it=E2=80=99s = acceptance would mean the end of the lucrative CA business and the = ability to intercept =E2=80=9Csecure=E2=80=9D HTTPS communication. Those = relying on the HPPTS flaws will never let it become wide spread. In summary =E2=80=94 anyone can sniff HTTPS traffic. No need for any = cipher backdoors here. Nor any need for GOST to be involved. >=20 > Of course, now there's fairly good evidence that there's some sort of > backdoor in the GOST ciphers, all bets are off on how long it will be > until they get broken in a very public manner. >=20 One can say the same for any other crypto. Plus, for some ciphers there = is already evidence.. yet they are still in use. But, a good show is always worth it. Let=E2=80=99s watch for those = heroes. :) Daniel --Apple-Mail=_7ACC6073-ED50-4B80-84A3-140601E04D97 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhL+XAAoJEDN1EDx7HoqiCEkP/2J5YT+pQChuqAP2N5sS6+ta f5yg/RZdd4eepqiryB2/YMoNcFGpQUQ1Wx2DRWgkXcaWW1k9kqSdWsrpP+ISiwJ+ 7M+s6x0cW4HTTmQw0ZGthuAlp/aeSt/8iVOmEG4sv/ZerAcrIBKLfksfS32PAul0 nx3A7IkxBYFKJKSz/3bftMUP8/hXG/SDmOip4y+bQPVd5UXUrXTRUKnGE7NA3t6+ oPoq93q03Phk/6jVHQl6fl4i7ijoAhz5U224MjGCDcwLql5H7ZAcsrDS6p11y80H gUE4C/yeljt32WofkYLF0gOrpAE6ypVcpbnR+48Hu0scRLAODGZX50mm4YHJkrh6 yx3XIFUFKX8763qBriquLGDnKCXs5irTqK7ZpRXLHqd61tSd1xNveIPfJTxRfBGH wkKcAXoP6i0cLfu2ER8qpqbCmojzT+IfK0OR4R9X0ccRnEO8UhUHs5fSROxsil66 3fnNsqDdqdrxvXmPlsk7WkxnvPlbldzuvdBcPIxpjblBfomb/5+6yQDyCANXRaea XupZKs7/kvQZHz+x4dV+R3MWXkz9DK3xmeUsb30Q8nzoxxRdcRQ0nY3nwr/PB7c5 xFRy8ayp5gWTn9sP1bilwZXsccZ0GBA7mD0psa1MZwSarvGLUjyYTMhDbOdm0hv5 acNfXP0JTFr3weIxyy51 =Z5Sq -----END PGP SIGNATURE----- --Apple-Mail=_7ACC6073-ED50-4B80-84A3-140601E04D97--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C2F596E2-B417-4DC2-A195-60CFAB6399F5>