Re: Backward compatibility bites again (like RC4 in WPA2)
On 12/9/14, grarpamp
https://www.imperialviolet.org/2014/12/08/poodleagain.html
Similar how continued insistence on centralized SMTP continues to bite.
at least they're trying. RC4 in WPA2, and no signs anyone cares...
On Tue, Dec 9, 2014 at 8:14 PM, coderman
RC4 in WPA2, and no signs anyone cares...
The wifi alliance is a bunch of closed companies competing in closed hardware, microcode, firmware and licenses with probably no dependency on opensource other than stealing it. ie: broadcom. And both ends of the connection are terminated by their hardware, you're not in the loop. (Unless you're your own AP/sniffer, in which case they don't care.) Now with your largely opensource browser, TLS libs and apache, even if your far end is terminating on some closed cisco hardware at closed google, they're at least half driven by you, compatibility wise. Though users might care, at least the 'both ends owned' vendors will be extremely resistant to change. Would you have better luck convincing coffee shop owners to run openwrt so you can terminate an AES local VPN on their hotspot and then out to the net, overlaying what's used on the airwaves be it rc4 or cleartext? Let me know what shop to patronize :) (The b43 wireless project used to write some open firmware for broadcom nics. And other brands do have some open firmware. Thought WPA2 was in the silicon though, I might be wrong.)
On 12/9/14, coderman
... RC4 in WPA2, and no signs anyone cares
it is feb 2015, and still RC4 in WPA2, also remote, also blind, also post-exchange kletographicexfil without disclosures, without firmware updates, without papers, without trendy security con stage hack theatrics, it is industry force, creates its own moral justification without reservation. 2015, RC4 still in WPA2, WPA2 still in everything, ... [0]. best regards, 0. "I've seen people act like you can't disable RC4 until you agree whether it's very very weak or completely broken." - https://twitter.com/nickm_tor/status/542192592424017920
On 2/4/15, coderman
... 2015, RC4 still in WPA2, WPA2 still in everything, ... [0].
not RC4 specifically, but EXP-RC4-MD5 is the avenue: "The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today." - http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-fact... RC4, still hurting us today, too!
Dnia wtorek, 3 marca 2015 13:48:28 coderman pisze:
On 2/4/15, coderman
wrote: ... 2015, RC4 still in WPA2, WPA2 still in everything, ... [0].
not RC4 specifically, but EXP-RC4-MD5 is the avenue:
"The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today." - http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-fac toring-nsa.html
RC4, still hurting us today, too!
NSA -- making the world a less safe place, one cipher at a time! -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
participants (3)
-
coderman
-
grarpamp
-
rysiek