Reading todays new on TechCrunch on how NSA can get rosters from - TopicsExpress

Reading todays new on TechCrunch on how NSA can get rosters from some chat sites (and notably Facebook is missing there!) did some analysis on how its technically possible. So, here is the security analysis for Google Chat site which returns list of buddies (roster) for Google Talk/Hangouts: https://ssllabs/ssltest/analyze.html?d=talk.google Well, at first it has grade A, however, lets look into details: Only 2 cipher suites are offered by the server: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA And surprisingly both suites has 2 known vulnerabilities: 1. RC4 is considered as crackable algorithm, e.g. having enough horsepower its theoretically possible to decrypt it having session capture: isg.rhul.ac.uk/tls/ So NSA can just sniff traffic on backbones, filter out one coming from Google talk and then decrypt it. 2. IF NSA somehow (through subpoena and/or warrant) got Googles RSA private key == they can decrypt everything in realtime. Googles crypto suites are not providing protection against that (e.g. RSA key exchange fully depends on attacker not knowing RSA private key. FYI: key exchange is this portion of suite name: TLS_RSA_). 3. MD5 in 2013? Give me a f*ng break! Sha1 is slightly better, however as of 2005 it was demonstrated to have weaknesses, however, those weaknesses are unlikely to be explored by attackers. There are easier ways in. NOTE: as server offers only those 2 crypto suites clients CANNOT pick anything but one of those 2 ways to encrypt your data, both can be easy decrypted. Just for comparison, lets look at what Facebook offers: https://ssllabs/ssltest/analyze.html?d=graph.facebook Well, at first look, same A score, but the list of offered crypto suites is SIGNIFICANTLY bigger: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1. Facebook allows for client to opt for AES_256 session encryption. Its stronger than the one required for top secret (AES 192). 2. TLS_ECDHE_ portion in cipher name means that even if somebody got a hold of Facebooks private key they still will be unable to decrypt whats going on. (This key exchange uses additional data to protect session key exchange, while using RSA key just for server authentication purposes). Basically this means, Facebooks clients can opt for non-hackable connection, while Googles cannot. ....

Mainstreeters: Taking Advantage, 1972-1982 surveys the history of

Top 10 Health Benefits of Lemon Water 1. Good for stomach - Lemon

Almost 900 Sold with 100% positive customer feedback - The world

Thanks Mark Sheerin for nominating me to choose ten books which

Tis the Season to Shop Small: After much prayer about what I

Ubisoft has revealed Grow Home, an idiosyncratic adventure game

Tuesday, March 25, 2014. Good morning, good morning. Rise and

*******SHARE THIS WITH AT LEAST ONE FRIEND*******THANKS! Fresno

When your heart is broken it is the saddest thing in the world.

Amós 6 - 1. AI dos que vivem sossegados em Sião, e dos que

Fort Knox Emergency Services and Emergency Management personnel

Someone told me a while ago that there were many fundamentalist

We will be postponing this months PTO Meeting TBD. There are a

Hoy a las 22 hs otro programa de Sonidos Independientes Santa Fe

60 Hutch, Steel Overhead Closed Storage Cabinet KRCT0 I70HW Great

Last week, I had a rough week. Last Saturday, I had Diet Coke and

The Government on Friday kickstarted the electronic toll

good day im selling my samsung galaxy s3 I9300 pebble blue

ANGER, ENVY AND INSULTS...(a lesson of life story) Near

Punjabi boy writing essay on GreedY Dog... 0nce there was a

Morning everyone, just a couple of Sunday morning updates for you

Nieva sobre Pekín con Rubén Amón: ¿A quién quieres más

The 2014 Special Olympics’ Field Trial (7th Annual) held in

ایتا سوال مرا پیش بومو داره ایتا از