"We introduce Alibi Routing, a peer-to-peer system that allows users to understand and control where in the world their packets don't go. In other words, it lets users provably avoid parts of the world while communicating with others or browsing the web."
"A few people asked about the FreeS/WAN IPsec OE efforts and whatever happened to it. The short answer is, we failed and got distracted. The long answer follows below. At the end I will talk about the current plans that have lingered in the last two years to revive this initiative."
"We present HORNET, a system that enables high-speed end-to-end anonymous channels by leveraging next generation network architectures. HORNET is designed as a low-latency onion routing system that operates at the network layer thus enabling a wide range of applications. Our system uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes. This design enables HORNET nodes to process anonymous traffic at over 93 Gb/s. HORNET can also scale as required, adding minimal processing overhead per additional anonymous channel."
"In our demonstration the victim uses Internet Explorer, and we show how the attacker can take over an account of the victim. This is the first time weaknesses in RC4, when used in TLS and HTTPS, are exploited against real devices."
"If a server does not check this field, then it has ignored one of the primary goals of TLS: ensuring the integrity of the data communicated over the channel - The updated test found 269 servers (out of 530000 tested servers) that did not perform the check."
"Both Tor, independent security researchers and website owners need to work towards a safer Internet. In 32 days I've found 15 instances where a node is sniffing and using my credentials and over 650 uniqe pagevisits which means that others also sniffs."
Washington Post: "The making of a vulnerable Internet: This story is the first of a multi-part project on the Internet’s inherent vulnerabilities and why they may never be fixed."
"Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or "unblocker", but in reality it operates like a poorly secured botnet - with serious consequences."
"QUANTUMINSERT (QI) is actually a relatively old technique. In order to exploit it, you will need a monitoring capabilities to leak information of observed TCP sessions and a host that can send spoofed packets. Your spoofed packet also needs to arrive faster than the original packet to be able to be successful."
"At long last, the Internet Engineering Task Force (IETF) has published RFC 7469, Public Key Pinning Extension for HTTP (HPKP)" "HPKP is an attempt to solve 1 of the big problems in the Web PKI: the fact that essentially any certification authority (CA) or intermediate issuer can issue end-entity (EE, or “leaf”) certificates for essentially any web site."
Launching a side project to monitor/shame the HTTPS implementation or lack thereof.
"Encrypted Web traffic is expected to continue its upward trend, driven by increased privacy awareness, uptake by major players and advocacy from the IETF and W3C. This document describes the technical details of options to persist certain network management functions for encrypted traffic."
Applications Due April 17th!
Warning: Contains Snowden related fluff and noise.
"everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken"
The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server.
This service supporting Certificate Transparency and other security practices will be built on the Automated Certificate Management Environment (ACME) protocol with a draft specification available on GitHub.
"18F is an in-house government technology team that builds things for the rest of the US federal government, and we're committed to deploying HTTPS across all of our released websites."
'We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.'
1) I've upgraded the signed TLS certificate... with the best practice 4096bit SHA256
2) I've verified my Keybase GPG key at https://keybase.io/cybershambles -
We live in a world of CyberShambles and I'm glad to hear this project got nuked. On the plus side, thegrugq is likely in deep discussion with a number of internet rockstars on how we can turn the Anonabox trainwreak into something positive.
"I'm working on something to announce (hopefully) today. Will try to get a PORTAL to everyone that wants/needs one. :)" - @thegrugq
"Unlike with the BEAST there is no reasonable workaround ... SSL 3.0 must be avoided entirely"
Google: In the coming months, we hope to remove support for SSL 3.0 completely from our client products.
Mozilla: SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV.
@bunniestudios & Torproject.org dropped the TorRouter project years ago. Who wants responsibility shipping live targets ;) Good luck with all that. See: https://lists.torproject.org/pipermail/tor-talk/2012-March/023799.html
"If you run a privacy conference with only card payment methods or sell a TOR appliance with google-analytics on your site, rethink your life" - @Kxyne
"This morning we began rolling out the Universal SSL across all our current customers. We expect this process to be complete for all current customers before the end of the day. Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we'll have doubled that."
"For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc.)"
"In Keyless SSL, the key server only allows connections from clients with a certificate signed by a CloudFlare internal certificate authority. We use certificates granted by our own certificate authority for both sides of this connection. We have strict controls over how these certificates are granted and use the X.509 Extended Key Usage option to ensure that certificates are only used as intended."
"Sebastien was able to build the initial Keyless SSL prototype overnight. Making sure it was secure, fast, and could scale is what took us two years of engineering. Now, with persistent connections and advanced session resumption techniques, using Keyless SSL is not only safe, it’s blazing fast!"
SMIMP is a secure messaging protocol aimed at addressing the flaws and failures of traditional email. By creating a new protocol, designed to be secure from day one, instead of gluing security on as an after thought, SMIMP intends to address the flaws and mistakes of traditional email.
“SMIMP can be divided into two major parts; identity management and messaging. The identity management system is the core of the design, which the messaging system leverages and builds upon. The identity management system can leverage for other systems, and such use is encouraged..
A single command sets up a brand new server running a wide variety of anti-censorship software that can completely mask and encrypt all of your Internet traffic. -- “Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services.” – Joshua Lund.