[cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
iang at iang.org
Tue Jul 2 06:43:03 EDT 2013
On 2/07/13 13:25 PM, Adam Back wrote:
> I think it time to deprecate non-https (and non-forward secret
> ciphersuites.) Compute power has moved on, session cacheing works,
> symmetric crypto is cheap.
Good point -- anything that contributes to the "HTTPS Everywhere"
campaign is a good thing. As an aside, this assists defence against a
real enemy for everyone being phishing.
> Btw did anyone get a handle on session resumption - does it provide forward
> secrecy (via k' = H(k)?). Otherwise I saw concerns a disk stored, or long
> lived session resumption may itself start to become an exposure risk
> somewhat analogous to non-forward secret SSL.
> On Tue, Jul 02, 2013 at 12:50:32PM +0300, ianG wrote:
>> BTNS (better than nothing security) for IPSec could save it.
>> There is precedent: the ideas behind SSH totally swept out
>> secure-telnet within a year or so. Skype demolished other VoIP
>> providers, because its keys were hidden. The same thing happened with
>> that email transport security system.
>> In contrast, IPSec is a complete and utter deployment failure, and it
>> shares statistically unmeasurable rates of protection across the net.
>> It's near cousin, secure browsing at least achieved penetration rates
>> of around 1% if one counts the HTTPS v. HTTP ratio (what else
>> matters?). Both suffered in large part because they insisted on the
>> classical certificates / PKI schoolbook.
>> So, if one is looking for a saviour, there is pretty good correlation
More information about the cryptography