That's okay I can repeat myself better then I am stoned.
Yeh sorry about that, the high hit me kinda hard tonight, not sure why
Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what
https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.
Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.
I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules
). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly
) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.
No need to attack RSA vulnerabilities in the IKE phase to get the private key.
No need to brute force the actual AES session (or what ever cipher is being used, hopefully AES256).
If they have access to CA root certs and I believe they do
then they have the master keys if not for all HTTPS traffic, certainly for the sessions based off of certs created by authorities that reside under their jurisdiction.
Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.
I've been in this game far too long and by god even I don't have the memory for this kind of stuff
We can add more RAM to your system but you'll need to raise an RFC. It's another RFC if you want to be rebooted and you'll have to get authorisation form a manager if you want us to virtualise you.
Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.
I believe they only care if you present yourself as a threat to their agenda. The NSA and FBI certainly destroyed
Aaron Swartz because he was a political organiser. So yep I'm not saying don't be cautious, if you are a person of interest then you shouldn't be on this site.
But for the average person I just don't believe the major players give a damn about them. Of course that is until you give them a reason to.
They'll use cannabis against you for sure, that's one of the reasons why the USA haven't legalized federally or the Brits. But I don't think they are hunting or rooting out the FC community or the average stoner. Cannabis users are the lowest of the low priority for government based security agencies, they have to ensure the security for not only the government but the commercial aspect of their realms. It's more about imperialist power and stable economics. If you fuck with that then you are screwed no matter what security measures you've taken.
It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.
Sucks but that's the sucker punch;
https://en.wikipedia.org/wiki/Firesheep without encrypted cookies...
and according to the developer tools the cookies here are not secure so I think we really need SSL ... encrypted cookies would be a huge bonus
Used to manage networks (the usual players), now build cloud IaaS/PaaS/SaaS infrastructures. Now that shit is fluffy!
Mostly due to the sales guys selling one thing, managers thinking they are getting another and the rest of us hoping someone can actually define a requirement to deliver on and then resource it accordingly.
Completely agree about public WiFi hotspots, you are broadcasting your traffic and anyone with wireshark or tcpdump can easily have at it. However this is where a VPN would cover you from attackers from others on the local WiFi network even if you are using a site that doesn't use SSL. They aren't mutually exclusive technologies but this site shouldn't rely on the end user to know how to manage a VPN.
SSL is a better option.
Which is why I'm delighted
@vtac is well and present and on the case.
P.S. Sorry everyone for the long and techy post but it's an interesting convo when you actually get down to it and this thread is about security for FC.
some of the jargon is over my head.
