[stunnel-users] key+cert+dh risks

Christophe Nanteuil christophe.nanteuil at gmail.com
Tue Feb 15 22:29:53 CET 2011


2011/2/13 Jean-Yves F. Barbier <12ukwn at gmail.com>

> On Sun, 13 Feb 2011 22:21:10 +0100, Ludolf Holzheid
> <lholzheid at bihl-wiedemann.de> wrote:
>
>
>
> > On Sat, 2011-02-12 14:32:19 +0100, Jean-Yves F. Barbier wrote:
> > > [..]
> > >
> > > Hmmm, so it looks like may the entropy may be higher with 2 different
> keys.
> >
> > Yes, but if this was more than a hypothetical problem, there would be
> > a counter for uses of the key and a recommendation to use a new key
> > after a certain number of uses.
>
> For my own security, keys are rotated on a monthly basis.
>

Yes and, of course, you are sure that your random generator is better than
the debian one before may 2008...


> > Think of how many times the web
> > banking servers use their key ...
>
> I totally agree with this.
>
> > Don't be too concerned about that.
>
> Yes, I am, because it is not the bank interests I protect, but mine!
>
> The advantage of this question is it forced me to read more about openssl,
> and now I think I'm gonna do it by the rules: separating every parts into
> different files because the exercice is interesting and also because I'll
> soon
> need to configurate a larger network of clients.
>
> However, openssl lacks *real long term* security features (why signing into
> sha1 instead of sha384 or sha512 when it is quite surely already broken by
> gov
> Sces?), and is also somehow suspect (remember the 1 line bug that have
> lasted
> for a looong time? After disclosure it was fixed but not a word from
> the team about it and not a line in the changelog too......)
>

Do you REALLY think that a brute force attack is what someone would use to
gain access to YOUR data ?


> What I also wouldn't like is somebody record the whole connexion and decode
> it
> several years after, once the computer farms power is high enough.
>

ever heard of  'forward secrecy' ? (
http://en.wikipedia.org/wiki/Perfect_forward_secrecy)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110215/4ae141a2/attachment.html>


More information about the stunnel-users mailing list