Conversation

Notices

Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 09-Jul-2024 20:10:03 JST Ryan Castellucci :nonbinary_flag:

Cryptography libraries should have something like hdparam's --please-destroy-my-drive before they'll let you use catastrophically insecure algorithms/key sizes, like 512 bit RSA.

In conversation about a year ago from infosec.exchange permalink
- Embed this notice
  Varbin :arctic_fox: :gay_furr: (varbin@infosec.exchange)'s status on Tuesday, 09-Jul-2024 20:22:42 JST Varbin :arctic_fox: :gay_furr:
  in reply to
  
  @ryanc
  Is this still related to the vulnerability you discovered?
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 09-Jul-2024 20:34:51 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Varbin :arctic_fox: :gay_furr:
  @varbin Yeah.
  Someone used 512 bit RSA, which was demonstrably breakable by a small org a quarter of a century ago, and is now practically breakable on a standard PC in under a week, and in hours using distributed computing.
  The vendor is working to fix the issue, but it shouldn't have been possible for them to make the error in the first place without an obvious "please let me do dangerous things" opt-in.
  Developers should not need to be cryptography experts to build secure systems, libraries should be task-oriented and opinionated - libsodium is a good example of this.
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 09-Jul-2024 20:40:16 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Varbin :arctic_fox: :gay_furr:
  @varbin Python's cryptography package puts a bunch of stuff under hazmat, which the documentation describes as:
  ❗DANGER
  This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.
  ...but there are a lot of code examples which use it.
  Notably, any asymmetric cryptography requires hazmat stuff.
  
  In conversation about a year ago permalink
- Embed this notice
  sk3w (sk3w@infosec.exchange)'s status on Tuesday, 09-Jul-2024 23:21:05 JST sk3w
  in reply to
  
  @ryanc RSA implementations all kinda feel like https://giphy.com/embed/3o6Mbsras7qdAwgABW
  In conversation about a year ago permalink
  Attachments
  1. https://media4.giphy.com/media/3o6Mbsras7qdAwgABW/giphy.gif?cid=dda24d503i7bpx0smooanxg3zqzkmjp3u0bjolsmtowesblb&ep=v1_internal_gif_by_id&rid=giphy.gif&ct=g
- Embed this notice
  Ron Bowes (iagox86@infosec.exchange)'s status on Wednesday, 10-Jul-2024 00:33:16 JST Ron Bowes
  in reply to
  
  @ryanc A corollary is, I dislike it when libraries remove that kind of functionality because, as a security researcher, sometimes I need to test with a 512 bit key.
  But yes, lock it behind whatever opt-in you want!
  
  In conversation about a year ago permalink

Public

Notices

Feeds