[conspire] Cert debacle involving a billion certs

Texx texxgadget at gmail.com
Sun Mar 24 20:59:03 PDT 2019


Actually going from 63 to 64 is a huge jump.
The jump in number of bits is only a jump of 1, but the difference in what
that number evaluates to be has a larger signicance.


Regarding Ricks point about something being encrypted suddenly getting
called "secure":
I have a pet peeve with people doing things like this.
If its encrypted, call it encrypted (preferably with a paranthetical number
of bits used) so that people can evealuate for themselves.
If someone calls it "secure" my answer is "Wanna buy a bridge?"
If they say its encrypted, Im going to ask how many bit encrypted.
If its encrypted with 8 bits, Im going to say something very rude (and you
KNOW IM GOOD at that!)
Its its encrypted with 256 of 512, Im going to hold it in better regard.

Ive tried to find the setting that keeps adding a plug for my anti virus
software and cant find the menu that sup[posedly controls this.
I just stumbeled across something that might work, but its totally
different to what websites say to do.
Lets see if this works.


On Mon, Mar 18, 2019 at 1:51 PM paulz at ieee.org <paulz at ieee.org> wrote:

> How many bits make something "secure"?   64 bits was deemed to be "enough"
> in 2016, but that was 3 years ago.  When does the 64 bit requirement need
> to  be increased?
>
> It's hard to get excited about 63 vs 64 bits except as an embarrassment to
> big companies that should have done better.
>
> On Monday, March 18, 2019, 12:33:29 PM PDT, Deirdre Saoirse Moen <
> deirdre at deirdre.net> wrote:
>
>
>
> https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/
>
> "The snafu is the result of the companies' misconfiguration of the open
> source EJBCA software package that many browser-trusted authorities use to
> generate certificates that secure websites, encrypt email, and digitally
> sign code. By default, EJBCA generated certificates with 64-bit serial
> numbers, in keeping, it seemed, with an industry mandate that serial
> numbers contain 64 bits of output from a secure pseudo-random number
> generator. Upon further scrutiny, engineers discovered that one of the 64
> bits must be a fixed value to ensure the serial number is a positive
> integer. As a result, the EJBCA default produced a serial number with 63
> bits of entropy.”
>
> Deirdre’s note: unsigned ints are a thing y’all.
>
> Deirdre
>
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>


-- 

R "Texx" Woodworth
Sysadmin, E-Postmaster, IT Molewhacker
"Face down, 9 edge 1st, roadkill on the information superdata highway..."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20190324/121ec012/attachment.html>


More information about the conspire mailing list