[Cryptech Tech] News

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Feb 3 00:54:36 UTC 2016


Russ Housley <housley at vigilsec.com> writes:

>I thought people on this list would find this article interesting:
>http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/

If you read the discussion around that it's far more likely to be due to
incompetence.  The flawed 1024-bit prime was replacing the 512-bit prime that
had been in use until then, and the guy who made the change was asking for
help with various other things which indicated he wasn't the most capable
developer (I don't have the links any more but it was linked off a thread on
ycombinator).  It just looks like standard badly-done crypto, they also do
things like tell you how to set up the SSL tunnel without any mention of
validating certs so it's unlikely they check those, and various other signs
that they're not doing the crypto too well.

Peter.


More information about the Tech mailing list