Thanks for the heads up!

The Diffi-Hellman problem reminds me of a similar problem ten years ago when a flaw in Debian's random number generator allowed hackers to guess RSA keys within hours. That hole was patched but a big problem remains with the entropy of RSA keys (I don't know how this plays out with D-H keys). When I first started using Linux in 1998 and created crypto keys one thing the process required me to do was to type on the keyboard and/or move the mouse around until the generation was complete. This was, supposedly, to generate more entropy for the key to use.

Because of the fall of the 128b, 256 and 512b RSA keys, and the US government going anti-Constitution, I made a New Year's resolution to use 4096 bytes from now on, and that's is what my current RSA key is, along with a LONG password.

It's sad when the key is longer than the message it protects...

Reading the article, I caught a hint that Apache may be moving to 2048 or 4096 bit keys too.

"Yes, your Honor, I do encrypt my grocery list. It represents a major part of my income, so I do consider it worth protecting."

And let's not get started on Yahoo email's FUBAR'd security. Why bother encrypting if they give away the key to the barn?

Yup. Almost .... almost .... using crypto is almost a waste of time. It will be, or already is, if the government's D-Wave2 quantum computer is working on them now, as I suspect it is.

I suspect we're going to see a lot more one-time and blind key cyphers being used.

"The blue whale flies by moonlight"
Chapter 4, Page 9, third paragraph. 16x16 matrix.

Just to advise on Thanksgiving vacation plans...

A) I read an op-ed piece, can't lay it to hand, about that there needs to be a COMPLETE rethinking of encryption...basically WITHIN the data stream.

B) My bank requires:

a) a HUGE alphanumeric password
b) a "random time" asking of a verification question.
c) selecting a PICTURE, out of multiple pictures, that I earlier picked, by clicking on the correct picture.

Of all of that I, personally, consider that the ONLY valid "verification" is the choice of the picture.

EVERY SINGLE TIME THAT a person uses a PHONE.........to access ANYthing that has to do with ANYthing that is "financial"

The person should be asked to "pick a picture" that is the verification picture from a THREE by THREE grid....and within twenty seconds.

And.........if the correct picture is not picked by the SECOND time, the site disconnects.

And........too bad.........too sad............. but you are going to have to either pick out the correct picture in an hour......... or...........CALL AND BE ON THE NET AT THE SAME TIME WITH GPS on the phone and the person ALLOWS the GPS.


NOTE 1:

TWP commented on....

Sherlock Holmes..... dancing men....but he discussed the thing about "blind key" that one has to have a copy of War and Piece to hand and then find the correct page and the correct lines and every third letter...

ummmm BRAVO TWP!!

Note 2: WHAT ABOUT BLIND PEOPLE............

THIS IS SO EASY IT IS NOT EVEN FUNNY IT IS laughable...

All cell phones will "vibrate"..............the vibration can be assigned to a number set.

The Blind person merely speaks the vibratory number set of the chosen picture, which can be picked AT RANDOM, by the blind person......

Pick the picture that is in the second line number three and send me the vibration for that picture...

buzz, blank, buzz, buzz, blank, whatever.

The computing power is so exponentially large compared to what is needed to interact in THIS SMALL SET..... by vibration is........LAUGHABLE...

The ONLY REASON that "banks" don't do this is because they think WITH REASON, that people are so DAM# lazy that if it required more than swiping left right that people will change banks....and...they are somewhat correct......they can PAY OFF all thefts and STILL make money.!!



woodjustmyesperienceininternetsecuritysmoke

Woodsmoke, was it this one?:

Apache Milagro: A New Security System for the Future of the Web
http://lxer.com/module/newswire/ext_link.php?rid=234788

I see a fly in this ointment, the fact that three letter agencies will be looking more closely at encrypted messages.

This paranoid wonders if this will get the encryptor (sp?) added to lists that one does not want to be a member of...

Yes there is some protection in shear numbers, if everyone and his dog is using encryption (a good idea) then one becomes less visible. Flying below the radar and staying inside the flock are apt phrases here.

Well TWP...

Bravo!! THAT is one of the MANY reasons that you are a really kewl "Linux" person and that I'm just an old hardware kinda guy! :

woodthanksTWPsmoke

Kewl!

Disable 1024-bit Diffie-Hellman primes
As the OP reported, following recent research it is likely that the NSA has been breaking 1024-bit Diffie-Hellman for some time now. To disable these switch the following settings to false in about:config:

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

Then consider checking your SSL configuration at https://www.howsmyssl.com

GreyGeek, Thank you for the info.