[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS
James Salsman
jsalsman at gmail.com
Fri Aug 2 21:06:04 UTC 2013
Marc A. Pelletier wrote:
>...
> A minor random increase of size in document wouldn't even slow
> down [fingerprinting.]
That's absolutely false. The last time I measured the sizes of all
9,625 vital articles, there was only one at the median length of
30,356 bytes but four articles up to 50 bytes larger. Scale that up to
4,300,000 articles, and are you suggesting anyone is seriously going
to try fingerprinting secondary characteristics for buckets of 560
articles? It would not only slow them down, it would make their false
positive rate useless.
This is why we need cryptography experts instead of laypeople making
probabilistic inferences on Boolean predicates.
Marc, I note that you have recommending not keeping the Perl CPAN
modules up to date on Wikimedia Labs:
http://www.mediawiki.org/w/index.php?title=Wikimedia_Labs/Tool_Labs/Needed_Toolserver_features&diff=678902&oldid=678746
saying that out of date packages are the "best tested" when in fact
almost all CPAN packages have their own unit tests. That sort of
reasoning is certain to allow known security vulnerabilities to
persist when they could easily be avoided.
Anthony wrote:
>
> How much padding is already inherent in HTTPS?
None, which is why Ryan's Google Maps fingerprinting example works.
>... Seems to me that any amount of padding is going to give little
> bang for the buck....
Again, can we please procure expert opinions instead of relying on the
existing pool of volunteer and staff opinions, especially when there
is so much FUD prevalent discouraging the kinds of encryption which
would most likely strengthen privacy?
More information about the Wikimedia-l
mailing list