Jondonym Security Certificate

Questions about organisation, special technical questions, troll plain
AnonymousLife
Posts: 191
Joined: Mon Jan 24, 2011 18:59

Jondonym Security Certificate

Post by AnonymousLife » Tue Nov 08, 2011 15:10

The certificate to this site use to be AES 256 (if I am not mistaken). Now it is RC4, 128 bit keys.

What happened? and Why the change?

Georg Koppen

Re: Jondonym Security Certificate

Post by Georg Koppen » Tue Nov 08, 2011 15:29

The BEAST ran into our way. See e.g. http://ssl.entrust.net/blog/?p=977 or for a more technical article http://www.educatedguesswork.org/2011/0 ... zzodu.html.

cane

Re: Jondonym Security Certificate

Post by cane » Tue Nov 08, 2011 17:09

RC4+RSA, 128 bit keys is a high secure encryption.

-AES-CBC- ciphers are not high secure anymore because of the BEAST attack. But the insecure part is CBC, not AES.

You may check our SSL encryption and compare it with other SSL webservers at: https://www.ssllabs.com/ssldb/

AnonymousLife
Posts: 191
Joined: Mon Jan 24, 2011 18:59

Re: Jondonym Security Certificate

Post by AnonymousLife » Tue Nov 08, 2011 18:47

cane wrote:RC4+RSA, 128 bit keys is a high secure encryption.

-AES-CBC- ciphers are not high secure anymore because of the BEAST attack. But the insecure part is CBC, not AES.

You may check our SSL encryption and compare it with other SSL webservers at: https://www.ssllabs.com/ssldb/
I get it. To avoid CBC, some companies have been using XTS, which, from what I understand, is more secure.

AnonymousLife
Posts: 191
Joined: Mon Jan 24, 2011 18:59

Re: Jondonym Security Certificate

Post by AnonymousLife » Tue Nov 08, 2011 18:48

Georg Koppen wrote:The BEAST ran into our way. See e.g. http://ssl.entrust.net/blog/?p=977 or for a more technical article http://www.educatedguesswork.org/2011/0 ... zzodu.html.
Funny way of phrasing it!

If this is the case, then what about for the mix servers? I know they are 128 bit but are they vulnerable to the BEAST? Is Jondonym using RC4 128 bits for the mix server cascades?

cane

Re: Jondonym Security Certificate

Post by cane » Tue Nov 08, 2011 19:12

some companies have been using XTS
At the moment this is not supported by the SSL library we are using on our webserver. To keep our maintenance work low, we will stay with the default SSL library of the distributor if it was possible to provide a secure configuration.
Is Jondonym using RC4 128 bits for the mix server cascades?
JonDonym does not use SSL encryption for mix server traffic. It is not affected by BEAST or any other known attack to SSL encryption.

Kornblumenblau
Posts: 67
Joined: Sun Oct 27, 2013 19:53

Re: Jondonym Security Certificate

Post by Kornblumenblau » Tue Nov 05, 2013 22:06

??
RC4+RSA, 128 bit keys is a high secure encryption.
RC4: on the way out!

"This cipher was much weaker than previously thought. The weaknesses were not of immediate concern, but it was clear that RC4 was on the way out. [...] RC4 affects everyone and cannot be mitigated [..] attacks against RC4 were going to get better [..]".
--------
https://community.qualys.com/blogs/secu ... l-a-threat
--------

Kornblumenblau
Posts: 67
Joined: Sun Oct 27, 2013 19:53

Re: Jondonym Security Certificate

Post by Kornblumenblau » Tue Nov 05, 2013 22:10

??
The BEAST ran into our way.
!!
"At the beginning of this year [2013], SSL Labs started penalizing all sites that do not incorporate server-side mitigations against the attack. [...] Yesterday [beginning of september] I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack."

BEAST: still a thread?

"BEAST is purely a client-side vulnerability. [...] BEAST affects only a part of the user base and there isn't a workable exploitation path for it any more (we hoped). In addition, we knew [...] that the attack surface vulnerable to BEAST [is going] likely to get smaller."
--------
https://community.qualys.com/blogs/secu ... l-a-threat
--------

See also:
--------
https://community.qualys.com/blogs/secu ... cy-and-rc4
--------

sovereignpress
Posts: 188
Joined: Sat Aug 25, 2012 1:02
Contact:

Re: Jondonym Security Certificate

Post by sovereignpress » Wed Nov 06, 2013 1:23

Kornblumenblau wrote:??
RC4+RSA, 128 bit keys is a high secure encryption.
RC4: on the way out!

"This cipher was much weaker than previously thought. The weaknesses were not of immediate concern, but it was clear that RC4 was on the way out. [...] RC4 affects everyone and cannot be mitigated [..] attacks against RC4 were going to get better [..]".
--------
https://community.qualys.com/blogs/secu ... l-a-threat
--------
This site no longer uses RC4-128. It now appears it uses AES-256.
Last edited by sovereignpress on Wed Nov 06, 2013 1:25, edited 1 time in total.

sovereignpress
Posts: 188
Joined: Sat Aug 25, 2012 1:02
Contact:

Re: Jondonym Security Certificate

Post by sovereignpress » Wed Nov 06, 2013 1:24

Kornblumenblau wrote:??
The BEAST ran into our way.
!!
"At the beginning of this year [2013], SSL Labs started penalizing all sites that do not incorporate server-side mitigations against the attack. [...] Yesterday [beginning of september] I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack."

BEAST: still a thread?

"BEAST is purely a client-side vulnerability. [...] BEAST affects only a part of the user base and there isn't a workable exploitation path for it any more (we hoped). In addition, we knew [...] that the attack surface vulnerable to BEAST [is going] likely to get smaller."
--------
https://community.qualys.com/blogs/secu ... l-a-threat
--------

See also:
--------
https://community.qualys.com/blogs/secu ... cy-and-rc4
--------
The site now uses AES-256 and is liable to the so-called BEAST attack.

https://www.ssllabs.com/ssltest/analyze ... ervers.net

Post Reply