Comments on: ‘Progress’ was a bad idea. http://www.apathysketchpad.com/blog/2009/02/27/progress-was-a-bad-idea/ Floccinaucinihilipilificating antidisestablishmentarianism since 2001. Mon, 26 Jul 2010 12:35:51 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Andrew http://www.apathysketchpad.com/blog/2009/02/27/progress-was-a-bad-idea/comment-page-1/#comment-5458 Andrew Sat, 28 Feb 2009 16:44:07 +0000 http://www.apathysketchpad.com/blog/?p=992#comment-5458 To crack RSA encryption, you would have to find a way to factorise large semiprimes in reasonable time, and most mathematicians are pretty convinced that no method exists to do so. The fact that someone left a vulnerability in Apache really doesn't make any difference: this isn't 'if input=password then print message', these are systems where the 'password' is a direct parameter of the algorithm needed to decrypt the message. No programming error will change that unless they accidentally save your private key into the file or something equally colossally dumb -- and you can check if they've done that by looking at the source. The source code will make life incrementally easier for the hackers, but if you have enemies smart enough to solve the RSA Problem then you're fucked anyway. To crack RSA encryption, you would have to find a way to factorise large semiprimes in reasonable time, and most mathematicians are pretty convinced that no method exists to do so. The fact that someone left a vulnerability in Apache really doesn’t make any difference: this isn’t ‘if input=password then print message’, these are systems where the ‘password’ is a direct parameter of the algorithm needed to decrypt the message. No programming error will change that unless they accidentally save your private key into the file or something equally colossally dumb — and you can check if they’ve done that by looking at the source.

The source code will make life incrementally easier for the hackers, but if you have enemies smart enough to solve the RSA Problem then you’re fucked anyway.

]]> By: SupSuper http://www.apathysketchpad.com/blog/2009/02/27/progress-was-a-bad-idea/comment-page-1/#comment-5457 SupSuper Sat, 28 Feb 2009 16:19:01 +0000 http://www.apathysketchpad.com/blog/?p=992#comment-5457 I've always been a bit iffy about open-source encryption. I mean yes, I'm aware that decryption is not a simple matter of "reverse-engineering" so that even if you know the method, it'd take years of computer cycles to eventually crack one code. But having the source code right at hand is still a starting point for it. I dunno, maybe it's all the other open-source stuff that gets hacked every now and then that doesn't fill me with confidence. I’ve always been a bit iffy about open-source encryption. I mean yes, I’m aware that decryption is not a simple matter of “reverse-engineering” so that even if you know the method, it’d take years of computer cycles to eventually crack one code. But having the source code right at hand is still a starting point for it.

I dunno, maybe it’s all the other open-source stuff that gets hacked every now and then that doesn’t fill me with confidence.

]]>