Posted by Sebastian on Apr 14

Hey,

That’s true. But the keygen element is flawed by the known-broken CA
system(*) and you can’t build a secure house on a broken foundation. You
could check whether the certificate for your site is issued by your CA,
but if the can issue certificates they could simply attack your browsers
updater. Our only hope for truly secure communication are tools like pgp
combined with anonymity through for example TOR or freenet (not the…

Posted by Milos Krasojevic on Apr 14

Call for Papers for 4th Balkan Computer Congress – BalCCon2k16

09|10|11 September 2016, Novi Sad, Vojvodina, Serbia, Europe, Earth,
Milky Way

The BalCCon2k16 staff are now soliciting papers to be presented at our
BalCCon2k16 Congress to be held 09 – 11th September in Novi Sad, Serbia.
The CfP in open until 1st July 2016.

https://balccon.org

The Event

Balkan Computer Congress is an annual three days gathering of the
international hacker…

Posted by MustLive on Apr 14

Hello participants of Mailing List.

After making public release of DAVOSET
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html),
I’ve made next update of the software. At 26th of March DAVOSET v.1.2.8 was
released – DDoS attacks via other sites execution tool
(http://websecurity.com.ua/davoset/).

Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I

GitHub:…

Posted by Seth Arnold on Apr 14

The only TLS client certificate authentication I see on a regular basis
is for CertFP use for IRC nickserv authentication and OpenVPN. Trying to
use a browser to perform either of these actions would be awkward at best.

What application or service do you know of that uses TLS client
authentication that requires browser integration? If you can demonstrate
users who will be affected they may be more amenable to your claims. (I
suspect the browser…

Posted by Sebastian on Apr 14

Hey,

to put it simply: No.

The real problem is that no one is using it. Yes, it is pretty secure,
but its too much trouble for most users (try to log in from your phone)
and also a baseless PITA for most server operators. It’s also not good
for business (you need to be able to restore the certificate easily,
have multiple devices, all your servers need https …). To make matters
worse many browser don’t even bother supporting it…

Posted by Árpád Magosányi on Apr 14

No doubt keygen have its problems. But there should be a bit more reason
for entirely removing a technology which is needed than “it is not
mature enough yet”.
One reason that the whole symmetric crypto technology could not mature
because getting key deployment right is not a straightforward task
(fscked up trust relationship did not help either, but that is an issue
which we can work around. With smart key management. Oh, wait…) ….