Global r00t

Email
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Embed	(replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 8 MB. Max image dimensions are 10000 x 10000. You may upload 5 per post.

File: 1430399999751.jpg (10.26 KB, 654x369, 218:123, suited_up.jpg)

Global r00t Anonymous 04/30/15 (Thu) 13:19:59 No.2200

http://www.w3.org/DesignIssues/Security-NotTheS.html

Just a quick note the global root is about to be extended to capture all web and ssh traffic.

With the System D in-fighting it is going to be forked. If it has a backdoor the % of unix systems capture with the current firmware backdoors will increase a sizable amount.

TLS

With TLS added to OpenSSH to capture more SSH traffic, it is being pushed to capture more SSH traffic.

It is now being pushed as HTTPS/3 and HTTPS Is disappearing

- https will be eradicated

- https:// will load TLS (see link above)

- consumers will think its secure when they see https:// and the logo

- one site will possibley be hacked and then http will be so thoroughly slandered everyone will demand tls

- getting the public to switch back to https will be impossible

The benefit of this is, if it is breakable or backdoored, not only will they get the new tls traffic but all the old https traffic also--- and now the openssh traffic too.

Why not offer https:// and tls://?

Every mandatory https movement or group was completely stalled or infiltrated for the last 10 years

The way it was added to openssh... They merged it like 1 day after openssl 1.0 was released, and insta released a 1.01 with basically only TLS. and the whole thing crumbled within a day. the patch was submitted and then code reviewed by the same guy.

TLS implementation has already had 2 serious show-stopping bugs if i remember. and heartbleed on top of that.

admittedly theres not much proof anywhere.. and I was off the internet in 2012 but from what i remember the story is this:

- I dont really remember anyone saying we need tls

- I do remember ppl saying we need all sites to use https and maybe https 3 -- but all the projects were met with

mysterious hurdles and people refusing to cooperate

- (this is similar to how all black rights and human rights movements were stopped in the last 100 years)

- I dont really remember any outcry of happyness tls was coming along

- I dont know who made it or what their background is and why they are legit

- Specifically I think it was made by two young kids, and I wouldnt be suprised if they are AT&T employees.

- etc

- (this can be argued in a small timewindow view of tls, but based on a view of 15 years of HTTPS is my opinion)

Arguably the w3c knows what its doing to HTML, but should we follow? HTML is still a piece of crap after 20 years. (Google "How to Center text CSS", 27,100,000 results)

Before we do this we should understand how ****ing hard it is gonna be to setup a MeshNet...

Already posted this on HN and got down-voted into oblivion.

tbh i would rather just enc the html files with pgeep and call it done.

Summary:

Prepare for:

ALL web sites to serve TLS only, no HTTPS anymore, TLS will be used under HTTPS:// urls

ALL SSH clients to have TLS handshake code

new SystemD forks showing up in distros

OpenSSH developed by 50+ people from 30 different countries

Anonymous 04/30/15 (Thu) 13:21:31 No.2202

TLS implementation has already had 2 serious show-stopping bugs if i remember. and heartbleed on top of that.

they were beginner crypto mistakes like reusing nonce/null nonce...

who the fk wrote this thing...

Anonymous 04/30/15 (Thu) 13:29:00 No.2203

>>2202

Someone who is obviously not quite as intelligent a he is made out to be.

Anonymous 04/30/15 (Thu) 17:25:28 No.2204

i looked at a few of the commits from the openssh developer who code-checked himself (jhenson or something) on the TLS support and this is the shit they are pulling:

(just looking at 5 of his commits)

1) hes touching a lot of crypto

2) hes removing crypto

3) hes adding ifdefs disabling services

(ie #ifdef windowsstuffflag skip_eliptic_curve_encryption ) - real example . wtf.

4) im not seeing a lot of feature additions

5) oh openssl 1.0 came out i better make 1.01 2 days later with like 2 features, my tls heartbeat code and some lame other feature

6) his heartbleed commit uses the var "payload" instead of "data" or "msg" - wtf.

7) hes reversing flags in code

if ("OK" == vt_asdf_ok){

if (checkflags) {

dostuff()

becomes

if ("ok" != vt_Asdf_ok) {

}

if (!checkflags) {

//dostuff

idk i only looked at 5 commits

Anonymous 04/30/15 (Thu) 17:26:24 No.2205

File: 1430414784241.jpg (6.04 KB, 266x219, 266:219, Its-something.jpg)

>>2204

>6) his heartbleed commit uses the var "payload" instead of "data" or "msg" - wtf.

Anonymous 05/01/15 (Fri) 03:57:56 No.2209

>>2204

fuck that is disconcerting

are GnuTLS or libressl better alternatives?

Anonymous 05/02/15 (Sat) 15:27:07 No.2215

File: 1430580427576.png (328.86 KB, 1050x1637, 1050:1637, http_tls.png)

>>2200

> With TLS added to OpenSSH to capture more SSH traffic, it is being pushed to capture more SSH traffic.

OpenSSH does not use TLS.

OpenSSL does use TLS.

> - https:// will load TLS (see link above)

it already does (see pic), but how does this relate to openSSH?

for HTTP traffic, the only alternative to TLS is SSL (which is very insecure and disabled by default)

https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0

> Why not offer https:// and tls://?

Because TLS is not an application-level protocol, HTTP is.

> Arguably the w3c knows what its doing to HTML, but should we follow? HTML is still a piece of crap after 20 years. (Google "How to Center text CSS", 27,100,000 results)

HTML != HTTP

> Already posted this on HN and got down-voted into oblivion.

That's because your post is self-contradictory, and shows an extreme lack of understanding of internet protocols.

>>2204

> 6) his heartbleed commit uses the var "payload" instead of "data" or "msg" - wtf.

>>2205

Payload is the correct term for the data portion of a packet

https://en.wikipedia.org/wiki/Network_packet#Payload

https://en.wikipedia.org/wiki/IPv6_packet#Payload

>>2209

> are GnuTLS or libressl better alternatives?

libressl is the better alternative.

Anonymous 05/20/15 (Wed) 10:53:12 No.2363

http://www.w3.org/DesignIssues/Security-NotTheS.html

anyway you debunked 2 of my points fair enough

i was misnamed the pkg, i wrote this at 8am after staying up all night, totally could happen.

cheers.

Anonymous 05/20/15 (Wed) 10:55:02 No.2364

Logjam TLS attack (weakdh.org) 2015-5-20

https://weakdh.org/

Anonymous 05/20/15 (Wed) 11:04:31 No.2365

>>2215

what you didnt debunk was this:

TLS implementation has already had 2 serious show-stopping bugs if i remember. and heartbleed on top of that.

they were beginner crypto mistakes like reusing nonce/null nonce...

and the new logjam bug

Anonymous 05/20/15 (Wed) 19:15:47 No.2368

>>2365

http://www.reddit.com/r/netsec/comments/2qnk64/ssh_and_tls_are_insecure_j_appelbaum_claims_31c3/

Anonymous 05/20/15 (Wed) 23:12:29 No.2372

>>2368

https://github.com/ChristopherA/revocable-self-signed-tls-certificates-hack

Anonymous 05/21/15 (Thu) 05:02:10 No.2381

>>2372

not sure if valid essploits or not

https://github.com/openssl/openssl/issues/137

-----

from the author of tls:

https://github.com/ChristopherA/revocable-self-signed-tls-certificates-hack

basically "tls is designed to instantly allow MITM attack", altho im not sure what they could do to stop it.

-----

avoid openssl u are better off with a $5 ssl app from a Latvian college student than ssl from 40 people in 30 countries coworking with the NSA

-----

dont copy that floppy, its a federal crime. software piracy can get you up to 20 years in federal assfucking prison. rigging a foreign currency market to the tune of 200 billion? you get a fine.

Anonymous 06/02/15 (Tue) 09:57:28 No.2464

>>2381

This does not really seem to be a problem with TLS itself. From first glance, the problem described seems to be trusting self signed certificates. And whilst I have about as much faith in those as certificates issued by comodo or digid, I don't see how it is a problem in the security of the communication protocol if one would trust basically anyone able to present you a key.