[Ach] My review of the PDF ;)

David Durvaux david.durvaux at autopsit.org
Tue Nov 12 14:15:14 CET 2013 

Hello,

Sorry to use another email address, we are currently working with 2 dark
fiber cut ;).
Thanks to  that, I had some time to send out some comments ;-).

Firstly, great work! It's an excellent initiative and the way it goes is
excellent!!

I would like to add Lighttpd to the list of webservers proposed.  In my
experience, it's an excellent alternative to Apache: lighter and easier to
configure.  It's less known but used by important websites like YouTube and
Wikipedia (http://www.lighttpd.net/).

For instance, we at CERT.be, hosted dns-ok.be on a lighttpd server and it's
was perfectly handling an important traffic on short time span (like news
asking people to go their to check their machine ;)).


I would like to discuss briefly the AES key length.  I found back this
reference on Bruce Schneier blog:
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html.  It's
from 2009 (so, what's the latest status on this?) but basically state that
some attack where only affecting AES258 and broke up to 11 of the 14
rounds.  AES256 is still safe but MAYBE that the key size in that
particular example COULD BE counter effective.  As say in french "avec des
si on met Paris en bouteille" ("With IF, you put Paris in a bottle"), there
a a lot of conditions and open questions but maybe something we need to
keep in mind.


>From a more general point of view, we should add something on stuff you
should avoid like double layer of crypto (ciphering ciphered text) that
could result in less efficient crypto than with a single layer.


As an extra reference, the Hanbook of Applied Cryptography (
http://cacr.uwaterloo.ca/hac/) which is freely available was (still the
case) considered as an excellent reference during my studies (finished 6
years ago :'().


I'm not a crypto expert so sorry if I'm writing stupid stuff there.  I'm
only a user ;).

Kr,

David

P.S - Regaring my comment on Lighttpd, I offer to wrote the equivalent of
Apache for Lighttpd.  I will also try to quickly propose a draft for GPG.

-- 
David DURVAUX
AutopsIT.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131112/31a86400/attachment.html>

More information about the Ach mailing list