[wellylug] Next Meeting (security)

Hugh Davenport hugh at davenport.net.nz
Tue Feb 4 09:14:22 NZDT 2014 

Hey,

We did a signing party (GPG) late last year, and I would be happy to run
another, potentially a CACert one as well (though I haven't done the 
process).

I would be happy to look at your email Chris, and ramble about SSL and 
how
it is fundamentally broken. Disclaimer, I work in security :P

Cheers,

Hugh

On 2014-02-03 22:35, Christian Gagneraud wrote:
> On 02/03/2014 09:22 PM, Klaatu wrote:
>> I think that would be quite an interesting topic for discussion. There
>> is a de-centralised method of genereating SSL certs, of course, 
>> located
>> at http://www.cacert.org/ but in order for it to "work" you kind of 
>> have
>> to get into their ring of trust, which means signing off on people who
>> you personally trust. Perhaps that is something that wellyLUG could 
>> look
>> into if enough people were interested or would find it useful.
>> 
>> There was another de-centralised movement a while ago called
>> http://convergence.io/ but I have not really seen much activity around
>> it lately. I am not sure if it is still active or relevant, but the 
>> idea
>> was that you could choose to inherit trust from users you know; in 
>> other
>> words, if I vouched for a website as trustworthy and you trusted me,
>> then you could set your browser to therefore trust the site or sites
>> that I have vouched for. Theoretically, with enough participation, 
>> quite
>> a web of trust would be formed.
>> 
>> Anyway ... interesting topic. I'm definitely all for de-centralising 
>> the
>> SSL racket.
> 
> Me too, even if I don't understand everything, what I understood is
> that the centralisation of the SSL certificates mess is the Achilles'
> heel. cacert.org has just created an alternate of it, but at the core,
> this system doesn't work as you are prone to entryism, and all your
> trust is weakened by entryism corruption possibility.
> 
> Organising a so-called "signing party" could be nice thought. But
> maybe the best would be to start with basic explanation on why it's
> needed, how well it performs and how it all works.
> 
> For the sake of example, assuming SSL is broken, let's consider this 
> usecase:
> Alice want to receive from a "trusted" source the CCC's SSL
> certificates. She has to rely on a potentially corrupted "secret" (SSL
> based key: Paul, you or me! ;)), so how can she trust her source?
> 
> Last time I had a thought at it, I ended up there:
> http://e-x-a.org/codecrypt/ccr.1.html
> 
> 
> Chris
> 
>> 
>> -klaatu
>> 
>> 
>> On 02/03/2014 08:29 PM, Christian Gagneraud wrote:
>>> On 01/27/2014 08:00 AM, Hugh Davenport wrote:
>>>> Hi Guys/Gals,
>>>> 
>>>> Hope you had a great holiday season, and you are ready for the new 
>>>> year.
>>> 
>>> Hi everyone,
>>> 
>>> I have recently receive a suspicious email that has been flag as spam
>>> (yes i check my spam box, because there's unfortunately real emails
>>> sneaking in). And i wouldn't mind to hear someone familiar with 
>>> security
>>> what he/she thinks of it. Anyone fancy have a look at it during the 
>>> next
>>> meeting?
>>> This email is so short and simple that i think it could be a bug from 
>>> a
>>> spammer, or simply a test or a probe email.
>>> 
>>> Other stuff i would be interested to talk about is for example this
>>> announce: 
>>> http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
>>> I found that while duckduckgoing about thunderbird vulns, it made me
>>> laugh at the end because it is an issue about a "rogue" SSL 
>>> certificate
>>> "issued" by the French government (the "money" branch of it) and used 
>>> on
>>> an unkonwn "MIM device" - I went paranoid for at least 5 minutes! ;)
>>> But honestly, I would love to hear someone competent commenting about
>>> that one! for example: how about CRLs and "chain of trust" are 
>>> managed
>>> by applications? Or maybe they are managed at the "system" level?
>>> 
>>> Chris
>>> 
>>>> 
>>>> The next meeting will be Monday 16th February. To get us all started 
>>>> in
>>>> the new year, we will be doing lightning talks. So if anyone got up 
>>>> to
>>>> some pet projects over the holidays, or have been working on 
>>>> something
>>>> that they want some assistance with, or they just want to get up and 
>>>> say
>>>> something... Come along, have your 5 min of fame, and mingle with 
>>>> other
>>>> LUGers.
>>>> 
>>>> Let me know if you want to talk, so I can organise a lineup, 
>>>> otherwise
>>>> just standup on the night.
>>>> 
>>>> Meeting details:
>>>> When: 16th February, 6pm
>>>> Where: Level 3 Catalyst building (if after 6pm, call me on 
>>>> 0276946639)
>>>> 
>>>> Cheers,
>>>> 
>>>> Hugh
>>>> 
>>>> 
>>> 
>>> 
>> 
>>

More information about the wellylug mailing list