* Posts by yaronf

3 posts • joined 26 Mar 2016

A third of you slackers out there still aren't using HTTPS by default


RSA is still here

The last few paragraphs of this article are confused and confusing, and really should be rewritten. RSA is in ubiquitous use today by both TLS 1.2 and TLS 1.3 for server authentication, what with almost all certificates out there still based on RSA.

What's been removed from TLS 1.3 and is deprecated in TLS 1.2 (see RFC 7525) is the RSA *handshake*, as opposed to "first use Diffie-Hellman to establish an encrypted connection, then authenticate with RSA".

I agree with Scott that people should be moving to ECDSA certificates, but unfortunately this has been slow going.

Guilt by ASN: Compiler's bad memory bug could sting mobes, cell towers


Re: This wouldn't be much of an issue...

But of course ASN.1 is used in GSM. It is used in old wireline telephony (ISUP and INAP), and GSM inherits much of that.

Only 0.1% of you are doing web server security right


We have DANE? No more than "we have" HPKP

I don't have the numbers, but I would bet you a beer that DANE+TLSA servers are even fewer than those deploying HPKP. Both are good ideas in principle, both are very hard to implement right.


Biting the hand that feeds IT © 1998–2022