New revelations on NSA capabilities yesterday in the New York Times: see
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a
jumping off point.
The bottom line seems to be:
1) don't use RC4 (we're already working toward that goal, I believe)
2) don't use the Dual_EC_DRBG PRNG (see
http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have
Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!)
--scott
ps. apparently Dual_EC_DRBG is built-in to Windows (!). A good reason not
to run your security-critical servers on Windows, I guess...
pps. if we're throwing stones, the Debian PRNG flaw is a big glass
window....
ppps.
http://blog.cryptographyengineering.com/2012/02/random-number-generation-il…
pppps. router/switch/firewall compromises have also been a big part of the
NSA story. Has anyone looked at our internal network infra closely?
--
(
http://cscott.net)