[tor-talk] A way to reduce service impersonation
arrase
arrase at gmail.com
Wed Oct 26 01:36:24 UTC 2016
El 26 oct. 2016 3:17 a. m., "Michael" <strangerthanbland at gmail.com>
escribió:
>
> Well I took a look into the code, not my primary language but readable,
and have some concerns and some suggestions...
>
> # Concerns
>
> Opening signing up to an API is a very bad idea especially if the server
administrator is using keys vulnerable to "known word" attacks, below is a
link to the severity and key types effected.
>
> https://en.m.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity
>
> While sub key use may mitigate this; the whole concept of clients sending
data for servers to process is fraught with danger... I will confess that I
didn't read deep enough into the servers' side to inspect if the received
strings where being scrubbed, nor do I have the expertise to know what that
would look like in Python but I've enough knowledge to know that it's
though no matter the language
You're right , casually I have modified the algorithm a few hours ago for
that reason :).
I am in the process of developing the idea and all comments are welcome.
English is not my native language so I'll read the rest of your mail
tomorrow.
Greetings and good night :)
More information about the tor-talk
mailing list