How the NSA can break trillions of encrypted Web and VPN connections

Discussion in 'Serious Discussion' started by CHEF-KOCH, Oct 16, 2015.

  1. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    874
    30
    #1 CHEF-KOCH, Oct 16, 2015
    Last edited: Oct 21, 2015
    Researchers show how mass decryption is well within the NSA's $11 billion Budget.

    [​IMG]


    Orig. Source:
    * http://arstechnica.com/security/201...illions-of-encrypted-web-and-vpn-connections/


    Research and to understand the article:
    * https://www.lawfareblog.com/nsa-and-weak-dh
    * https://weakdh.org/sysadmin.html
    * http://en.wikipedia.org/wiki/Perfect_forward_secrecy
    * https://en.wikipedia.org/wiki/Dual_EC_DRBG
    * http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
    * http://en.wikipedia.org/wiki/General_number_field_sieve
    * http://arstechnica.com/security/201...ns-tens-of-thousands-of-web-and-mail-servers/
    * http://www.sigsac.org/ccs/CCS2015/
    * https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
    * http://arstechnica.com/security/201...-into-groundbreaking-crypto-cracking-program/
    * http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
    * http://www.theatlantic.com/technolo...-nsa-tracks-peoples-physical-location/283745/


    Papers:
    * https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf


    Protection:
    * Stay tuned I will write several guides on my gist how to avoid most of all fingerprints.
     
  2. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    874
    30
    #2 CHEF-KOCH, Oct 17, 2015
    Last edited: Oct 17, 2015
    (OP)
    Seems I was already to slow on it, eff already gave some tips to protect against such attacks. Since this isn't a full protection I still think about it to write a small guide which will explain the following topics, DNS attacks, DOS, chiper attacks via side-channel and how to really use SSH keys to protect against DDOS and Login attacks.


    Edit:
    The user.js script I'm working with/on is to harden the Linux/Windows Firefox Version, and also hardens the root certificates. Instead of addons this is much better do the fact it works directly on the first start, which means that this is an benefit over all existent config, besides this aspect it also works for all FF versions and all OS right out-of-the-box by placing this file in your profile folder.
     
  3. wmh

    wmh MDL Junior Member

    Jun 30, 2015
    98
    15
    0
    Hello CHEF-KOCH!

    Should I put this user.js of yours along prefs.js, addons.json, logins.json, etc.?

    I found these under /home/user/.mozilla/firefox/xxxxx.default
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    874
    30
    Hello, no need to full qoute me.

    Yes, the user.js file is, as the name said an user own preferences file which belongs in your profile folder. The benefit of using it is that you can drop that file into your profile folder even before you started the browser the first time. So compared to the addons/plugins it hardens your preferences just from the beginning. Also another benefit is that it works OS independent (except FF on Android since this mostly use other preferences for W-Lan and so on).

    I think it's a good start especially because the addons/extensions/plugins possible also leaking sensitive information, while such a small .js file doesn't sent anything back.

    Please enjoy. :biggrin: