[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches

To: [email protected], [email protected], [email protected]
Subject: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
From: [email protected] (Eugen Leitl)
Date: Fri, 6 Sep 2013 13:23:23 +0200

----- Forwarded message from Jim Thompson <[email protected]> -----

Date: Thu, 5 Sep 2013 15:07:00 -0500
From: Jim Thompson <[email protected]>
To: pfSense support and discussion <[email protected]>
Subject: Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
X-Mailer: Apple Mail (2.1786.1)
Reply-To: pfSense support and discussion <[email protected]>

Read â??em and weep:  http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0

My take is that most places donâ??t enable PFS (because itâ??s â??hardâ??) in IPSec.

In theory, Transport Layer Security (TLS) can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer PFS or only provide it with very low encryption grade. 
http://www.ietf.org/mail-archive/web/tls/current/msg02134.html

I donâ??t know the situation on pfSense (Iâ??ve not gone to look, as Iâ??m elbows deep in an IPv6 IPsec issue atm.)

In theory, OpenSSL supports perfect forward secrecy using elliptic curve Diffieâ??Hellman since version 1.0.   Do we set "enable-ec_nistp_64_gcc_128â?? on pfSense?
Do we enable the DHE-RSA-AES128-SHA cipher suite?   How about ECDHE-RSA-AES128-SHA?  Do we build the 64-bit optimized version for 64-bit images?
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Anyway, the â??evidenceâ?? is that there is some fundamental weakness in DH,  since the NSA itself recommends EC crypto rather than DH in their â??Suite Bâ?? offering.

http://www.nsa.gov/ia/programs/suiteb_cryptography/

One would think that pfSense would follow suit.

_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

Prev by Date: Old list archives
Next by Date: Old list archives
Previous by thread: Cypherpunks Archive 1992-1998
Next by thread: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
Index(es):
- Date
- Thread