There's been a lot of talk about some portion of the RSA keys on the Internet being insecure, with "2 out of every 1000 keys being bad". This is incorrect, as the problem is not equally likely to exist in every class of key on the Internet. In fact, the problem seems to only show up on keys that were already insecure to begin with -- those that pop errors in browsers for either being unsigned or expired. Such keys are simply not found on any production website on the web, but they are found in high numbers in devices such as firewalls, network gateways, and voice over IP phones.
It's tempting to discount the research entirely. That would be a mistake. Certainly, what we generally refer to as "the web" is unambiguously safe, and no, there's nothing particularly special about RSA that makes it uniquely vulnerable to a faulty random number generator. But it is extraordinarily clear now that a massive number of devices, even those purportedly deployed to make our networks safer, are operating completely without key management. It doesn't matter how good your key is if nobody can recognize it as yours. DNSSEC will do a lot to fix that. It is also clear that random number generation on devices is extremely suspect, and that this generic attack that works across all devices is likely to be followed up by fairly devastating attacks against individual makes and models. This is good and important research, and it should compel us to push for new and interesting mechanisms for better randomness. Hardware random number generators are the gold standard, but perhaps we can exploit the very small differences between clocks in devices and PCs to approximate what they offer.
Ruth writes, “The link tax is back, but we have a chance to stop it. The Save the Link network are pushing back against proposals in the EU for a new hyperlinking fee (AKA ‘ancillary copyright’) that will affect us all. If lobbyists succeed copyright rules will be extended to hyperlinks – giving publishers the […]
A new research report from Citizenlab painstaking traces the origins of a series of sophisticated hacking attacks launched at Rori Donaghy, a UK journalist for Middle East Eye who founded the Emirates Center for Human Rights, which reports critically on the autocratic regime that runs the UAE, and 27 other targets.
Vaping continues to become increasingly popular, meaning there is a growing selection of premium vaping products on the market. Here’s one that should get your attention: the AtmosRX Combo Vaporizer Bundle. This top-notch bundle includes the Rx Dry Herb Vaporizer, plus a bundle of accessories and flavors. Grab it now: it’s currently 73% off in the Boing Boing Store.The Atmos […]
We’d all love a 75-inch TV screen on which to view our favorite shows. But not all of us can drop the cash needed to get one of those broadcasting beauties (or even have the space needed to house them).Thankfully, there’s an alternative. With the SainSonic Mini LED Portable Projector (only $59.99 in the Boing Boing Store), you can project a picture […]
If you want to add some real firepower to your programming repertoire, learn Java–one of the most adaptable, widely-used programming platforms around. You can easily do that with this Ultimate Java bundle, now just $69 in the Boing Boing Store.Across 14 lectures and 117 hours of content, the educators at online academy eduCBA will walk you through […]