back to article Mauritian code-cutters to help deliver TLS 1.3

When IETF 100's hackathon kicks off in Singapore, one of the groups hoping to make waves will come from Mauritius. Their aim, Logan Velvindron of hackers.mu told Vulture South, is twofold: to make serious contributions to the development of the as-yet-immature TLS 1.3, and along the way, break Mauritius out of its public image …

  1. Anne-Lise Pasch

    Broken by design then.

    Most large clients use MiddleBoxes as standard, because of disparate internal/external service hosting.

    e.g. Imperva DoS protection -> App gateway -> Load balancer -> Reverse proxy -> Media/CMS.

    And that's not even factoring CDN solutions.

    1. -tim

      Re: Broken by design then.

      Its also broken by design so that users can't plug in their own block cipher, hash or public key encryption. The days of enumerating a few options just to save a byte in a startup packet are long gone and the concepts of plug in ciphers are well known and offer options once something falls to the crypto gods. If my client and server want to do AES512 with 20 rounds, the protocol should allow me to add a config line saying prefer "AES512_20rounds-GCM-SHA512_160rounds" without breaking anything. Right now, the client and server software need to be hacked, and ID type that will conflict in the future will need to be added, the crypto libraries need to be updated and then everything has to be recompiled. That process is why there are so many broken systems out on the web today.

      1. Frank Gerlach #2

        Re: Broken by design then. / GOST

        I think you have a certain selection of ciphers, including the Russian GOST in TLS.

  2. Anonymous Coward
    Anonymous Coward

    Mauritius?

    Sounds a little better to live than many of the places in the UK. I wonder how I can persuade them to give me a job...

    1. TheDataRecoverer

      Re: Mauritius?

      Oh, you'd soon tire of the endless beautiful weather, beaches, rum....

      I know: got married there many years ago, happy memories! Sadly back in Blighty soon after (although a visit to Reunion and Rodrigues was a blast!)

  3. This post has been deleted by a moderator

  4. Frank Gerlach #2

    Here Is Some REAL Transport Security - MST

    First lets look at SSL/TLS and why it is Broken By Design:

    * enormous complexity which means lots of lines of code. Between 30000(Google's TLS) and 400000 lines of code (OpenSSL). ALL major implementations have had exploitable bugs in the past couple of years.

    * depends on the security of Certificate Authorities

    * requires Public Key cryptography as an added bonus of complexity (and potential weakness)

    Talk is cheap, can I do it better ? Here is my attempt:

    https://github.com/DiplIngFrankGerlach/MST

    + less than 1000 lines of code. That means: any competent crypto software engineer can usefully review it

    + All SSL/TLS assurances

    + No public key crypto. Your bank/telco/utility company/stock broker can send you an envelope with a 16 byte key. If you do not trust the post office, visit said institution's branch office to collect the key.

    1. Frank Gerlach #2

      CAs hacked

      I forgot to mention that more than once Certificate Authorities have been successfully cyber-penetrate and bogus TLS cerificates for major services such as gmail have been issued by the attackers.

    2. Throatwarbler Mangrove Silver badge
      FAIL

      Re: Here Is Some REAL Transport Security - MST

      "No public key crypto. Your bank/telco/utility company/stock broker can send you an envelope with a 16 byte key. If you do not trust the post office, visit said institution's branch office to collect the key."

      Yes, this seems likely to be done by the average person on the street . . . as soon as monkeys fly out of my butt.

      1. Frank Gerlach #2

        Convenience Trumps All Considerations ?

        So what you are saying is that users cannot be bothered to enter 16 octets of key, because they would miss 3 minutes of "what are the Kardashians up to ?".

        Also, MSFT license keys are quite similar to the keys of MST. Nobody had a problem to enter them.

        1. Throatwarbler Mangrove Silver badge
          Holmes

          Re: Convenience Trumps All Considerations ?

          Yes, that is exactly what I am saying. No one except the sort of person who keeps pee in jars will be entering 16 octets of key by hand. You almost have a point with Microsoft license keys, but those are a) mostly distributed electronically now, so they can be copied and pasted, b) they arrive with the product you're going to use, and c) the average person, again, will say "$OtherBank doesn't require this tedious manual crap, I'll just go with them."

          1. EnviableOne Silver badge

            Re: Convenience Trumps All Considerations ?

            put a barcode under the key and supply a either USB barcode reader with it or build it in to the banking App on the device

            works for telephony MAC entry and it fixes the who fat fingers typing code in thing too

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020