[Ach] Improving Applied Crypto Hardening Draft
L. Aaron Kaplan
kaplan at cert.at
Fri Jan 10 09:58:03 CET 2014
thanks for your feedback.
On Jan 10, 2014, at 9:42 AM, Manuel Kraus <ach at lsd.is> wrote:
> Hey there,
> I'm not sure, if this is the right way to put suggestions.
> Forgive me, if I'm wrong!
> My suggestion:
> a) Page 55
> Key Exchange Table
> - What is EECDH? Maybe you mean ECDHE instead?
> - You should add DHE as well, since this is the important non-ec key exchange on AES ciphers, like EDH is for the 3DES ciphers
okay, will look into this. Seems like it's a bug.
> b) I don't know how close you are to the guys at cert.at, but there are improvements possible too:
> The website "http://lists.cert.at/cgi-bin/mailman/options/ach" isn't SSL by default!
> I missed that detail and put my Ach-list password in cleartext... uhhh..
Yes, please note that we initially in the beginning of the project simply used the existing mailman infrastructure of my work place. One way forward is to improve the setup there, the other is to move to a different mailinglist server (and improve the setup at cert.at).
Note that Bettercrypto.org is not a CERT.at project, although I work there.
Hope this clarified it :) And yes, I agree with you.
> c) The list password is stored there in cleartext, I assume.
Yes, that setup needs to be improved. Thanks for the heads up.
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach