On 10/13/14, ianG <iang@iang.org> wrote:
... No, and I argue that nobody should care about MITM nor downgrade attacks nor any other theoretical laboratory thing. I also argue that people shouldn't worry about shark attacks, lightning or wearing body armour when shopping. ... What distinguishes what we should care about and what we shouldn't is data. And analysis of that data.
indeed. thanks for showing me the light, ian! Q: 'Should I disable Dual_EC_DRBG?' A: "The data shows zero risk of an attacker compromising the known vulnerability of a specially seed random number generator. Do not change; keep using Dual_EC_DRBG!" Q: 'Should I switch away from 1024 bit strength RSA keys?' A: "The data shows zero risk of an attacker compromising the known vulnerability of a insufficiently large RSA key as the cost is prohibitive and no publicly demonstrated device exists. Do not change to larger keys; keep using 1024 bit RSA!" Q: 'Should I worry about the auto-update behavior of my devices or computers?' A: "The data shows minimal risk of an attacker compromising your systems via this method. Don't bother changing your vulnerable auto update any where any time any how; you're probably safe!" it's all so easy now... :)