[wellylug] Next Meeting (security)

Mon Feb 3 22:35:46 NZDT 2014

On 02/03/2014 09:22 PM, Klaatu wrote:
> I think that would be quite an interesting topic for discussion. There
> is a de-centralised method of genereating SSL certs, of course, located
> at http://www.cacert.org/ but in order for it to "work" you kind of have
> to get into their ring of trust, which means signing off on people who
> you personally trust. Perhaps that is something that wellyLUG could look
> into if enough people were interested or would find it useful.
>
> There was another de-centralised movement a while ago called
> http://convergence.io/ but I have not really seen much activity around
> it lately. I am not sure if it is still active or relevant, but the idea
> was that you could choose to inherit trust from users you know; in other
> words, if I vouched for a website as trustworthy and you trusted me,
> then you could set your browser to therefore trust the site or sites
> that I have vouched for. Theoretically, with enough participation, quite
> a web of trust would be formed.
>
> Anyway ... interesting topic. I'm definitely all for de-centralising the
> SSL racket.

Me too, even if I don't understand everything, what I understood is that 
the centralisation of the SSL certificates mess is the Achilles' heel. 
cacert.org has just created an alternate of it, but at the core, this 
system doesn't work as you are prone to entryism, and all your trust is 
weakened by entryism corruption possibility.

Organising a so-called "signing party" could be nice thought. But maybe 
the best would be to start with basic explanation on why it's needed, 
how well it performs and how it all works.

For the sake of example, assuming SSL is broken, let's consider this 
usecase:
Alice want to receive from a "trusted" source the CCC's SSL 
certificates. She has to rely on a potentially corrupted "secret" (SSL 
based key: Paul, you or me! ;)), so how can she trust her source?

Last time I had a thought at it, I ended up there: 
http://e-x-a.org/codecrypt/ccr.1.html

Chris

>
> -klaatu
>
>
> On 02/03/2014 08:29 PM, Christian Gagneraud wrote:
>> On 01/27/2014 08:00 AM, Hugh Davenport wrote:
>>> Hi Guys/Gals,
>>>
>>> Hope you had a great holiday season, and you are ready for the new year.
>>
>> Hi everyone,
>>
>> I have recently receive a suspicious email that has been flag as spam
>> (yes i check my spam box, because there's unfortunately real emails
>> sneaking in). And i wouldn't mind to hear someone familiar with security
>> what he/she thinks of it. Anyone fancy have a look at it during the next
>> meeting?
>> This email is so short and simple that i think it could be a bug from a
>> spammer, or simply a test or a probe email.
>>
>> Other stuff i would be interested to talk about is for example this
>> announce: http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
>> I found that while duckduckgoing about thunderbird vulns, it made me
>> laugh at the end because it is an issue about a "rogue" SSL certificate
>> "issued" by the French government (the "money" branch of it) and used on
>> an unkonwn "MIM device" - I went paranoid for at least 5 minutes! ;)
>> But honestly, I would love to hear someone competent commenting about
>> that one! for example: how about CRLs and "chain of trust" are managed
>> by applications? Or maybe they are managed at the "system" level?
>>
>> Chris
>>
>>>
>>> The next meeting will be Monday 16th February. To get us all started in
>>> the new year, we will be doing lightning talks. So if anyone got up to
>>> some pet projects over the holidays, or have been working on something
>>> that they want some assistance with, or they just want to get up and say
>>> something... Come along, have your 5 min of fame, and mingle with other
>>> LUGers.
>>>
>>> Let me know if you want to talk, so I can organise a lineup, otherwise
>>> just standup on the night.
>>>
>>> Meeting details:
>>> When: 16th February, 6pm
>>> Where: Level 3 Catalyst building (if after 6pm, call me on 0276946639)
>>>
>>> Cheers,
>>>
>>> Hugh
>>>
>>>
>>
>>
>
>