Profile

Cover photo
Adam Langley
702 followers|31,976 views
AboutPostsPhotosVideos

Stream

Adam Langley

Shared publicly  - 
 
 
Have you got a HTTPS website? If so, we’re happy to let you know that AdSense has enabled support for ad serving on Hypertext Transfer Protocol Secure (HTTPS) pages. Read more on our blog on how you can monetize content on your HTTPS site and let us know what you think of this update by leaving a comment below. http://goo.gl/QizLpU
5
2
William Chan's profile photoRyan Sleevi's profile photoLucian Armasu's profile photo
 
+Adam Langley Can you convince Google to buy the ECC patents from Blackberry and make them public domain?
http://en.wikipedia.org/wiki/ECC_patents

It would be a huge boon for the cryptography community, and now it's the time to do it as Blackberry is being sold in pieces. We probably wouldn't want them to end up in the hands of a patent troll like Microsoft or worse, would we? It might even push companies to adopt ECC/ECDHE faster.

Blackberry should also have other smartphone-related patents that should be higher quality than Motorola's, so they should consider that, too, for the mobile business.
Add a comment...

Adam Langley

Shared publicly  - 
 
 
Reminder: Microsoft is getting ready to turn off < 1024-bit RSA certs next month (much like we did in Chrome nearly a year ago, in http://crrev.com/114709 and Apple did in 10.7.4 / http://support.apple.com/kb/HT5281 ).

If you use Tomato firmware (which seems to be pretty spotty on security to begin with), heads up that you could lose access to your router - http://sahissam.blogspot.com/2012/06/new-ssl-certificates-for-tomatousb-and.html

Additionally, a number of filtering proxies seems to be using 512-bit keys, so if you're behind a such a corporate network well, sucks to be you, your admin should upgrade. Finally, if you still see errors, you've probably got a malware infestation, and should clean it.
5
2
Add a comment...

Adam Langley

Shared publicly  - 
 
 
If you're suddenly getting "Your profile could not be opened correctly" messages with Chrome 20, you probably have AVG antivirus installed: http://crbug.com/135342

In short, AVG is directly mucking with the on-disk profile data of Chrome users, in order to mess with their search engine settings in Chrome.  This is a malware-level tactic and completely unacceptable even if it wasn't also causing error messages.  If you're affected, uninstall AVG, and then nuke the "Web Data" file in your Chrome profile directory (see http://www.chromium.org/user-experience/user-data-directory for how to find this) and restart Chrome.

Even if you're not affected, I suggest not patronizing companies that pull stunts like this.  There are free alternatives to AVG such as Microsoft Security Essentials and several others.
3
2
Add a comment...

Adam Langley

Shared publicly  - 
 
I finished 6.002x (MITx's experiment in running a circuits and electronics course online.)

The course itself is very good. My basic electronics wasn't completely absent beforehand, but it had been many years at least and it was good to get a refresher.

Having 1.5x videos is key. I wouldn't have been able to put up with 1x videos for 14 weeks.

Their HTML circuit simulator is very impressive. It's not hugely complex but it works well and is capable of AC analysis, graphing the results and so on.

The work load was slightly troublesome. It only took a few hours a week, but I probably did the minimum possible. (I did the lectures and homeworks each week, but not the optional tutorials.) When I was forced to miss a week, catching up the double the following weekend was a drag.

~155K people registered, ~26K started and ~7K finished. That's quite the dropout rate, but I'm sure that 7K is more than 20x the number of people who take it at MIT each year. In terms of educational efficiency, it's staggering effective.

I look forward to seeing what else MITx (now EDx with Harvard onboard) does in the future.

http://www.edxonline.org/
4
Greg Hoke's profile photo
 
I thoroughly enjoyed the course. I stumbled on the 12 hour final, which I am still gleaning knowledge from. I used google spreadsheets for nearly all my work. Now I am attempting to learn to use mathematical tools such as maxima and octave. I have set up a home electronics lab. I hope I can stick with this learning trend. It clears the cobwebs and may result in something useful.
Add a comment...

Adam Langley

Shared publicly  - 
4
2
Add a comment...

Adam Langley

Shared publicly  - 
 
I'll be at RSA 2012 in San Francisco at the end of the month and will be speaking with several others about certificate revocation. (tech-106, Tuesday, 1pm.).

If you want to chat and don't manage to grab me then, drop me an email.
2
Paul Hoffman's profile photoAdam Langley's profile photoZooko Wilcox-O'Hearn's profile photo
3 comments
 
+Zooko Wilcox-O'Hearn I'm afraid I'm flying back at the end of the week, so wont be able to catch you!

+Paul Hoffman It's more positive than the title might suggest :)
Add a comment...
Have him in circles
702 people

Adam Langley

Shared publicly  - 
 
 
As of http://crrev.com/200704 , Chromium will no longer be granting "secure" display status to SSL sites using internal/non-ICANN assigned/non-unique names issued by publicly trusted CAs.

This is an important forward step towards recognizing the security concerns that come from having the possibility of multiple CAs issuing certificates for the same host (eg: "webmail" or "intranet.corp").

For more information about the risks of such certificates, as well as migration paths forward, https://cabforum.org/Guidance-Deprecated-Internal-Names.pdf is a good starting point.

This first step does not display an error page - it simply causes the Omnibox to no longer indicate a secure lock, as well as additional details. Future releases of Chromium will see this refined and adjusted.

If you find any bugs or issues, please report them at http://crbug.com/new
13
3
Daira Hopwood's profile photoAnton Piatek's profile photoAdam Langley's profile photoStephen Shankland's profile photo
5 comments
 
Thanks for the reference to that paper.
Add a comment...

Adam Langley

Shared publicly  - 
 
 
I did a preliminary analysis last night the most popular password and domain names appearing in the Yahoo data breach (even though I'm in theory taking time off from work!). We included highlights in the below CNET story, but here are some of the raw data.

all *.gov domains = 123
all *.edu = 8,539
all *.mil = 328
army.mil = 168
navy.ml = 63
usdoj.gov = 3
fbi.gov = 1 (an agent specializing in Homeland Security and counterterrorism who used "PA$$w0rd01" as password)
eop.gov (Whitehouse.gov) = 0

These are case-insensitive, meaning "hottie" is treated the same as "hoTTiE":*
48 = number of times "booty" was used in an email address or password
550 = number of times "hate" was used in an email address or password
7,192 = number of times "love" was used in an email address or password
516 = number of times "ninja" was used in an email address or password

733 = number of times "fuck" was used in a password
1,163 = number of times "god" was used in a password**
933 = number of times "jesus" was used in a password 
121 = number of times "allah" was used in a password 
116 = number of times "devil" was used in a password

9 = number of times "bitch" was used as a password
9 = number of times "baby" was used as a password
15 = number of times "hottie" was used as a password
2 = number of times "mom" was used as a password
0 = number of times "dad" was used as a password 
18 = number of times "grandma" was used as a password 
12 = number of times "grandpa" was used as a password
0 = number of times "boyfriend" was used as a password
4 = number of times "girlfriend" was used as a password
8 = number of times "husband" was used as a password
1 = number of times "wife" was used as a password
2 = number of times "binladen" or "binladen02l" was used as a password
780 = number of times "password" was used as a password (case-sensitive)
797 = number of times "password" was used as a password (case-insensitive)

Here are the totals in two tables (top 100 domain name frequency, followed by top 1,000 password frequency):

frequency     email address hostname/domain name
--------------     --------------------------------------------------------
137559 yahoo.com
106873 gmail.com
55148 hotmail.com
25521 aol.com
8536 comcast.net
6395 msn.com
5193 sbcglobal.net
4313 live.com
3029 verizon.net
2847 bellsouth.net
2260 cox.net
2133 yahoo.co.in
2077 ymail.com
2028 hotmail.co.uk
1943 earthlink.net
1828 yahoo.co.uk
1611 aim.com
1436 charter.net
1372 att.net
1146 mac.com
1131 rediffmail.com
1124 googlemail.com
1053 rocketmail.com
 928 juno.com
 853 optonline.net
 810 yahoo.ca
 572 peoplepc.com
 546 mail.com
 536 excite.com
 453 netzero.com
 433 netzero.net
 419 embarqmail.com
 400 yahoo.co.id
 367 live.co.uk
 344 insightbb.com
 342 shaw.ca
 339 windstream.net
 336 inbox.com
 336 btinternet.com
 322 tampabay.rr.com
 321 lycos.com
 316 mchsi.com
 313 yahoo.com.au
 307 netscape.net
 302 roadrunner.com
 299 gmx.com
 298 myway.com
 287 yahoo.fr
 273 rogers.com
 273 cfl.rr.com
 268 me.com
 255 yahoo.com.ph
 252 associatedcontent.com
 251 frontiernet.net
 245 sympatico.ca
 243 adelphia.net
 236 centurytel.net
 217 live.ca
 206 email.com
 202 163.com
 201 suddenlink.net
 200 cableone.net
 180 hughes.net
 177 abv.bg
 176 mindspring.com
 174 yahoo.com.sg
 173 yahoo.in
 169 bigpond.com
 168 ntlworld.com
 168 ac.com
 161 us.army.mil
 161 nc.rr.com
 160 mail.ru
 154 tmail.com
 152 yahoo.com.my
 152 in.com
 149 usa.com
 146 telus.net
 144 yahoo.cn
 140 tds.net
 139 prodigy.net
 134 q.com
 130 netscape.com
 128 optusnet.com.au
 126 qq.com
 126 126.com
 125 cs.com
 124 yahoo.com.cn
 123 rock.com
 122 wi.rr.com
 119 alltel.net
 114 fuse.net
 114 carolina.rr.com
 112 wowway.com
 110 rochester.rr.com
 110 pacbell.net
 109 tx.rr.com
 109 austin.rr.com
 108 triad.rr.com
 107 wmconnect.com

case-sensitive password     frequency
-----------------------------------     -------------
123456 1667
password 780
welcome 437
ninja 333
abc123 250
123456789 222
12345678 208
sunshine 205
princess 202
qwerty 172
writer 164
monkey 162
freedom 161
michael 160
111111 160
iloveyou 140
password1 139
shadow 134
baseball 133
tigger 132
1a1a1a1b 131
success 126
blackhatworld 121
jordan 111
whatever 110
michelle 109
dragon 107
superman 106
purple 106
1234567 106
ashley 103
associated 101
123123 101
ginger 100
babygirl 100
maggie 99
computer 98
0 98
trustno1 95
football 93
cookie 93
jasmine 92
blessed 92
samantha 91
pepper 90
charlie 90
nicole 88
justin 88
654321 88
money 87
joshua 87
angels 87
writing 86
jesus1 86
jennifer 86
family 86
butterfly 86
anthony 85
destiny 84
brandon 84
harley 83
matthew 82
lovely 82
030379 82
buster 81
1q2w3e4r 81
daniel 80
letmein 79
diamond 79
ca55ablanc 79
hunter 78
top99999 77
soccer 76
robert 76
loveme 76
heaven 76
content 75
andrew 75
basketball 73
bailey 73
amanda 73
william 72
madison 72
jessica 72
associatedcontent 72
12345 72
hannah 71
cheese 71
austin 71
abcd1234 71
000000 71
thomas 69
taylor 68
america 68
thunder 67
mickey 67
flower 66
orange 65
batman 65
peanut 64
jackson 64
george 64
fuckyou 64
peaches 63
chicken 63
mother 62
lovers 62
elizabeth 61
bubbles 61
dakota 60
alexander 60
booboo 59
101471 59
mustang 58
killer 58
aaaaaa 58
1qaz2wsx 58
yellow 57
snoopy 57
heather 57
winner 56
nicholas 56
morgan 56
summer 55
scooter 55
midnight 55
danielle 55
associatedco 55
asshole 55
thomas09a 54
silver 53
precious 53
poohbear 53
joseph 53
7777777 53
starwars 52
secret 52
oliver 52
richard 51
qwerty123 51
master 51
junior 51
666666 51
121212 51
rainbow 50
pumpkin 50
money1 50
coffee 50
bandit 50
tweety 49
steven 49
patrick 49
password123 49
chocolate 49
12345_a 49
tinkerbell 48
sparky 48
dallas 48
chelsea 48
smokey 47
renascer 47
pokemon 47
november 47
chicago 47
banana 47
babydoll 47
1234567890 47
trinity 46
remember 46
pookie 46
passw0rd 46
love 46
london 46
kitten 46
boomer 46
888888 46
yankees 45
passion 45
nathan 45
christian 45
apples 45
1234 45
swordfish 44
hello1 44
gemini 44
freedom1 44
dancer 44
christ 44
cameron 44
brooklyn 44
123abc 44
sydney 43
spirit 43
snickers 43
savannah 43
rachel 43
phoenix 43
muffin 43
lauren 43
jonathan 43
imthebest1 43
cassie 43
business 43
brittany 43
alexis 43
victoria 42
serenity 42
rush2112 42
q1w2e3r4 42
goddess 42
asdf1234 42
alyssa 42
vc123456 41
pakistan 41
newyork 41
a1234567 41
123qwe 41
sophie 40
snowball 40
nothing 40
murphy 40
jeremy 40
jasper 40
horses 40
florida 40
blink182 40
biteme 40
bismillah 40
turtle 39
school 39
michael1 39
makemoney 39
lombozchen 39
jesus 39
guitar 39
blessed1 39
asdfgh 39
123321 39
red123 38
jordan23 38
jessie 38
gateway 38
funnybunny1 38
forever 38
dolphin 38
555555 38
37496i4t 38
zachary 37
tiffany 37
scorpio 37
rabbit 37
maxwell 37
internet 37
chance 37
casper 37
asdfghjkl 37
sweetie 36
stella 36
shorty 36
ranger 36
qazwsx 36
letmein123 36
flowers 36
elephant 36
december 36
christopher 36
chester 36
brianna 36
stupid 35
sierra 35
shannon 35
scooby 35
poetry 35
jesuschrist 35
iloveyou2 35
hello123 35
happy1 35
gracie 35
golden 35
friends 35
danico 35
brandy 35
ac1234 35
MUNCIL 35
1q2w3e 35
zxcvbnm 34
winston9009 34
willow 34
popcorn 34
please 34
partner 34
kittycat 34
freelance 34
fq110119 34
fluffy 34
cheyenne 34
beautiful 34
angel1 34
777777 34
test 33
teddybear 33
qwertyuiop 33
penguin 33
nascar 33
mookie 33
merlin 33
melissa 33
justice 33
johnny 33
ireland 33
iloveu 33
getmoney 33
dws123 33
crystal 33
bigdaddy 33
angela 33
696969 33
222222 33
woaimeinv 32
winter 32
trouble 32
spider 32
smiles 32
redsox 32
patches 32
onelove 32
montana 32
metallica 32
maverick 32
lakers 32
hello 32
hawaii50 32
gabriel 32
cowboy 32
courtney 32
cookies 32
children 32
charlie1 32
charles 32
boston 32
1234qwer 32
wizard 31
tigers 31
testtest2 31
stephanie 31
samson 31
prince 31
pass1234 31
olivia 31
october 31
miller 31
loveyou2 31
ladybug 31
january 31
indian 31
hollywood 31
hockey 31
eminem 31
edward 31
butter 31
asdfasdf 31
anthony1 31
tennis 30
teacher 30
sweetpea 30
spiderman 30
spencer 30
slipknot 30
shelby 30
rosebud 30
rockstar 30
rlnjdp 30
qwer1234 30
publish 30
poopoo 30
monster 30
minnie 30
louise 30
liverpool 30
john316 30
google 30
drpepper 30
california 30
blessing 30
blahblah 30
benjamin 30
a123456 30
willie 29
vincent 29
tanner 29
sunflower 29
september 29
samsung 29
pickle 29
parker 29
orlando 29
matthew1 29
matrix 29
jama9873 29
jackie 29
happiness 29
hahaha 29
greenday 29
frankie 29
elijah 29
dolphins 29
bonnie 29
barney 29
august 29
andrea 29
999999 29
159753 29
welcome1 28
superstar 28
steelers 28
sapphire 28
rascal 28
qwerty1 28
lucky1 28
india123 28
hotdog 28
fuckyou2 28
franklin 28
drowssap 28
dexter 28
creative 28
banned 28
a1b2c3d4 28
xxxxxx 27
wisdom 27
timothy 27
paradise 27
panther 27
newlife 27
ncc1701 27
natalie 27
mylove 27
michigan 27
lineage2 27
icecream 27
howard 27
helpme 27
hawaii 27
goober 27
goldfish 27
dreams 27
dreamer 27
douglas 27
cyber123 27
cupcake 27
callie 27
brutus 27
baxter 27
autumn 27
adidas 27
112233 27
wl898712 26
victory 26
tucker 26
sunshine1 26
russell 26
qwedsa 26
qwe123 26
online 26
munchkin 26
monkey1 26
marcus 26
maddie 26
kisses 26
johnson 26
jesus123 26
jasmine1 26
jackass 26
fuckoff 26
diamonds 26
copper 26
cooper 26
cocacola 26
change 26
catherine 26
buddha 26
beauty 26
williams 25
travis 25
skater 25
princess1 25
monday 25
madeline 25
liberty 25
justme 25
jupiter 25
iforgot 25
future 25
friend 25
christine 25
catch22 25
333333 25
131313 25
write 24
wordpass 24
winston 24
winnie 24
william1 24
taurus 24
slayer 24
skittles 24
scarface 24
reddog 24
pineapple 24
pebbles 24
password12 24
olivetree 24
nintendo 24
money123 24
marvin 24
lasvegas 24
jesus777 24
jessica1 24
jellybean 24
isaiah 24
ilovejesus 24
fucker 24
foncok 24
fishing 24
denise 24
compaq 24
buddy1 24
abigail 24
8675309 24
11111111 24
thx1138 23
sublime 23
stephen 23
spooky 23
something 23
skippy 23
skeeter 23
sebastian 23
sabrina 23
reggie 23
player 23
pass123 23
pa55word 23
myself 23
martin 23
lucky 23
letmein1 23
krishna 23
jesusislord 23
fender 23
eternity 23
eagles 23
dennis 23
cricket 23
corvette 23
college 23
christmas 23
angel 23
ab4670 23
12qwaszx 23
tristan 22
sterling 22
spongebob 22
softball 22
snuggles 22
scoobydoo 22
saturn 22
rocket 22
pretty 22
people 22
mollie 22
maryjane 22
marley 22
marketing 22
magnolia 22
kitkat 22
jehovah 22
hotmail 22
gregory 22
genesis 22
firefly 22
eugene 22
einstein 22
eclipse 22
dustin 22
disney 22
deedee 22
cowboys 22
chichi 22
bond007 22
alaska 22
a12345678 22
1qazxsw2 22
zeppelin 21
yamaha 21
writer1 21
westside 21
travel 21
tiger123 21
testing 21
sweetheart 21
scotty 21
scotland 21
qazxsw123 21
pisces 21
patrick1 21
nirvana 21
mypassword 21
mountain 21
monique 21
moneymaker 21
mikey_12 21
mexico 21
mememe 21
madison1 21
lucky13 21
lovely1 21
kissme 21
katherine 21
jjjjjj 21
jesus7 21
jeffrey 21
harrypotter 21
emerald 21
education 21
dragonfly 21
debbie 21
chris 21
cassidy 21
bubble 21
bubba 21
bluemoon 21
blue22 21
blackie 21
beatles 21
barbie 21
asshole1 21
anillina 21
Password1 21
101010 21
zaq12wsx 20
yankees1 20
writenow 20
victor 20
vegeta 20
trixie 20
terminator 20
sweety 20
smiley 20
sharon 20
roscoe 20
rocky1 20
raiders 20
qwertyui 20
praise 20
perfection 20
perfect 20
pandora 20
mybaby 20
loveyou 20
lavender 20
kitty 20
jeremiah 20
groovy 20
granny 20
gators 20
fizzle1980 20
duncan 20
dietcoke 20
diamond1 20
clifford 20
cherokee 20
chandler 20
calvin 20
bullshit 20
buffalo 20
brooke 20
asdasd 20
arsenal 20
alicia 20
aaliyah 20
987654321 20
8gy621w4 20
232323 20
212121 20
123456a 20
wilson 19
violet 19
vampire 19
unicorn 19
thumper 19
therock 19
strawberry 19
speedy 19
spanky 19
shithead 19
scorpion 19
redhead 19
rebecca 19
pussycat 19
potter 19
phantom 19
peaches1 19
packers 19
ninja2 19
moomoo 19
money4me 19
momphali1234 19
mercedes 19
marshall 19
mariah 19
magick 19
lovelove 19
lollipop 19
lizzie 19
lizard 19
kittykat 19
kimberly 19
jason1 19
isabella 19
iloveme 19
houston 19
hershey 19
hardcore 19
happy 19
handsome 19
gibson 19
garfield 19
fuckyou1 19
froggy 19
faithful 19
faith1 19
chadski19 19
carter 19
buttercup 19
bulldogs 19
bulldog 19
blueeyes 19
blossom 19
awesome 19
atlanta 19
associated1 19
ass1234 19
angelina 19
abcdef 19
88888888 19
xavier 18
wolverine 18
walter 18
unique 18
tinker 18
tiger1 18
superman1 18
starttowin123 18
socrates 18
shamrock 18
samuel 18
sairam 18
raymond 18
punkin 18
promise 18
private 18
prayer 18
panthers 18
myname 18
michelle1 18
maxine 18
matamare 18
matahari 18
malachi 18
magic1 18
mackenzie 18
lucky7 18
lestat 18
leslie 18
lawrence 18
knight 18
kenneth 18
kennedy 18
keepl0cked 18
julian 18
james1 18
israel 18
inuyasha 18
infinity 18
hercules 18
happydays 18
guinness 18
giants 18
georgia 18
fuzzball1 18
forever1 18
ferrari 18
faith 18
donkey 18
charmed 18
charlotte 18
carmen 18
canada 18
buttons 18
brandon1 18
bradley 18
boogie 18
blessings 18
blah12345 18
baseball1 18
babies 18
author 18
august85 18
ashokrana 18
ariana 18
allison 18
abcdefg 18
ab4670yg 18
786786 18
yourmom 17
ybbjmh251288 17
yankee 17
whitney 17
whiskers 17
volleyball 17
valentine 17
universe 17
telekom30 17
success1 17
startrek 17
stanley 17
spunky 17
sports 17
sophia 17
singer 17
shopping 17
shadow1 17
scooter1 17
radiohead 17
purple1 17
poop 17
pikachu 17
pickles 17
pa55w0rd 17
omsairam 17
oicu812 17
norman 17
nissan 17
mulder 17
molly1 17
microsoft 17
married 17
loverboy 17
lovelife 17
love123 17
jerome 17
jamaica 17
ilovegod 17
happy123 17
grandma 17
goldie 17
genius 17
firebird 17
drummer 17
domino 17
doctor 17
divine 17
dingdong 17
digital 17
cuddles 17
content123 17
connor 17
church 17
chopper 17
cherry 17
changeme 17
cashmoney 17
booger 17
bluebird 17
birthday 17
bambam 17
badger 17
babyboy 17
aquarius 17
alexandra 17
123456aaz 17
003231moo 17
yeshua 16
working 16
whateverdude 16
warrior 16
walker 16
voodoo 16
virginia 16
unknown 16
tyler1 16
trinidad 16
swimming 16
skylar 16
shiloh 16
shelley 16
scanner9 16
sandra 16
sammie 16
rolltide 16
redskins 16
redrum 16
reagan 16
prosperity 16
popeye 16
platinum 16
piglet 16
personal 16
peewee 16
nikita 16
mykids 16
molly 16
mission 16
millions 16
memphis 16
media 16
maximus 16
matdin839329 16
lovegod 16
lincoln1 16
legolas 16
legend 16
lalala 16
kentucky 16
katrina 16
kathleen 16
karion626 16
jesussaves 16
jamesbond 16
isaiah614 16
hiphop 16
green1 16
green 16
godzilla 16
godisgood 16
friday 16
freebird 16
football1 16
fantasy 16
evergreen 16
elaine 16
destiny1 16
country 16
cinnamon 16
carpediem 16
carlos 16
cancer 16
camera 16
butthead 16
blueberry 16
avalon 16
audrey 16
athena 16
artist 16
articles 16
arthur 16
apollo 16
anything 16
angel123 16
access 16
Passw0rd 16
Aku1234567 16
1357924680 16
12341234 16
042506 16
00000000 16
writeon 15
wesley 15
vikings 15
vanessa 15
trevor 15
treasure 15
toyota 15
stormy 15
stevie 15
spring 15
sparkle 15
sourdiesel 15
single 15
simple 15
simone 15
sidney 15
shalom 15
robbie 15
rep777 15
qazwsxedc 15
priyanka 15
preston 15
peekaboo 15
passport 15
number1 15
noelle 15
nicole1 15
nevermore 15
ncc1701a 15
naruto 15
namaste 15
muhammad 15
morrison 15
[snip -- only first 1,000 included]

* Note the passwords in the above list are case-sensitive, while the summary is case-insensitive: there are 17 "grandmas" and one "Grandma"
** God-used-in-a password also matches "goddess" and "godswill" and "godzilla." The as-a-password count is specific.
3
2
Add a comment...

Adam Langley

Shared publicly  - 
 
 
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt

Vulnerability in Cyberoam DPI devices [30 Jun 2012] (CVE-2012-3372)
===================================================================

Cyberoam make a range of DPI devices (http://www.cyberoamworks.com/)
which are capable of intercepting SSL connections.

In common with all such devices, in order to intercept these
connections without causing certificate warnings, the devices require
that a certificate must be issued for the intercepted site by a CA
browsers trust.

There are two ways to achieve this - one is to persaude an existing
trusted CA to issue a certificate for the site to be intecepted, or an
intermediate CA that can then be used to generate new certificates on
the fly. This latter behaviour recently got Trustwave in trouble.

The second method is to have each willing victim[1] install a new
trusted CA in their browser, and have that CA issue the fake
certificates. This is, of course, the only legitimate way to use these
devices and we are pleased to see that this is the approach Cyberoam
reveal to the public.

However, it is a little surprising that the Cyberoam devices appear to
all use exactly the same CA. This can be seen to be so by looking at
the support page describing how to avoid warnings:
http://docs.cyberoam.com/default.asp?id=300. Examination of a
certificate chain generated by a Cyberoam device shows that this CA is
not used to sign an intermediate which is then used by the device, and
so therefore all such devices share the same CA certificate and hence
the same private key.

It is therefore possible to intercept traffic from any victim of a
Cyberoam device with any other Cyberoam device - or, indeed, to
extract the key from the device and import it into other DPI devices,
and use those for interception. Perhaps ones from more competent
vendors.

[1] In the corporate setting, willing victims are often known as
"employees". Unwilling victims should not, of course, install the CA
certificate, nor should they click through certificate warnings.

Mitigation
==========

Victims should uninstall the Cyberoam CA certificate from their
browsers and decline to complete any connection which gives a
certificate warning.

Credit
======

This issue was discovered and analysed by Runa A. Sandvik of the Tor
Project and Ben Laurie.
1
Add a comment...

Adam Langley

Shared publicly  - 
 
https://6002x.mitx.mit.edu/

6.002x is the first course from MITx - MIT's online learning system. I think that they might change for some of the future courses, but this is something of a beta test and so 6.002x (Circuits and Electronics) is free.

It started last week, so this is technically week 2 (and the first homework is due on Friday). However, I didn't start until yesterday and I'm caught up now. If you were to start in the next few days, it shouldn't be too much of an issue to catch up.

It's also a great choice by MIT for a first course because it's technical (and, probably, so are their beta testers going to be), but with very few prerequisites. Basically, knowing what a volt and ampare are is mostly sufficient.

I'm also very glad that they offer the videos at 1.5x speed. That makes it much more enjoyable.

I don't know whether I'll make it the whole way through. Other demands on my time might preempt it, but I'll try.

If I had a nit it would be that the course contents were rather opaque without registration. However, since I've registered I can give you the link to the outline (which doesn't appear to need a login to access): https://6002x.mitx.mit.edu/static/handouts/calendar.pdf
4
1
Paul Hoffman's profile photoMike Moate's profile photo
2 comments
 
Just seeing course numbers again makes me cringe. Thank you for posting one that didn't begin with "5".
Add a comment...

Adam Langley

Shared publicly  - 
 
I guess most people have heard about "Ron was wrong, Whit is right" (http://eprint.iacr.org/2012/064.pdf) by now. It's the paper where a number of folks looked at a large number of public keys and found that a small fraction (~0.4%) had weaknesses.

You should also see https://www.freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs where Nadia Heninger appears to have been doing the same work without knowing about the other effort.

It's neat work, and (effectively) calculating the pair-wise GCD is a nice trick. However, I don't agree with the central premise behind the title of the first paper: that RSA is somehow weaker because it needs two random numbers.

Heninger's post suggests that it's the first of the primes that has the biggest problem. So, an algorithm which only needs a single random number is likely to me more effected, not less. And algorithms like DSA and ECDSA can compromise a public key with a weak nonce during signing, which RSA can't.

I really don't know where that came from in an otherwise fine paper.
6
Elazar Leibovich's profile photo
 
Isn't it easier to find two keys that share GCD, than to try and bruteforce the weak key (which means for instance, that you need to know their PRNG, and the weak source of real enthropy)?
Add a comment...
People
Have him in circles
702 people
Basic Information
Gender
Male
Story
Introduction
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQENBExCDsYBCACYio0lKNNXlG1WqOeXun7y8Uj5kj/VragYt0AyTKc9kF4hS+SZ
wuTEahCmCHZKwLUadLsM/Vlm9ELkZxuzaPSNlNBPpC8e1jNx2kxsgHxfRs35S56X
SL4uYsKAVWu5viQJ0qxY0bNv1F/29bW9RvpfeQtnppNFSm9PNgvdQI1OS7x/mcGp
S46z8RoxzM+nphTFAXddTWFjcEmuHNeZRjmf6cqHN4Fbf3GdMiyq9m04Z3E6Gmlc
wdu8zIOTZ2A+Bevztio/GENp2alLM03kCEBxE60SFSunNriCzjlEarHAm5NmMqT0
M1eNlUXF0NCYsqOx221Jz03pFUSvpS9NMSQpABEBAAG0JUFkYW0gTGFuZ2xleSA8
YWdsQGltcGVyaWFsdmlvbGV0Lm9yZz6JAT4EEwECACgFAkxCDsYCGwMFCQeEzgAG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENQ8Zw3gSqp0diYH/jmrdbAHzB53
dQxxWAPOL212fSz+pos+Ex0hr1bOXHTe3OJ90UmgAx+1pM8LRZW3gSFBWScdmoTd
hHIOgiPRbCswH5uQL4Mipj8olsYhZ5+4qbDr/kpPIAD5HJ+qzghnZcKw+6mX+IHk
zrakvL50dGvedcitz4Gq6nZM2BReykEe4HUYavpxnT9Kl8mocauf7P4sBCTjmBCI
Cq/pSd2bj1BU7iVnE0WN8U9DjuD9eJfQrMceBW5lkrek4KX6JEUQrNl5EB9wFcgM
T8hVZjn5uMSmh4NUqV7ISurXhwaDsDh3D9T3npqFGMHyv/Uc//H27Ir5ZMoWjLwX
FxiIaJLLXtu5AQ0ETEIOxgEIAJuPIByruRJ45lcnNDfeCkGf+l0sH3nF65j9AxCF
8dp52HvmJmvyfdr9ft540AWXXn4Nn1LYO9u0ws6kHiUw+c3ddGaMdkhlGLbYYWdZ
0TtKsttmlkuNXiTfjz96bLlr6g3hEkQqqPwrdwzS0e8f+IcUWnnCxZiaGjhYQ8Fg
0K8IRFA/lW/TMO+KgfeXY6zGe6CBrpgdq9L2aCnbPjJUKFRM79CgdzzdCOeOhXXe
Cq8epOtyj3VnCgBUztDVhhnQHnXGeLF2fFoA9UV7nDSvHt6EA4P83AlveR4mACaQ
ovpWMble1V9/uhYeXNO2OrYjg2JO2UqS/q23YBTdr6+eniMAEQEAAYkBJQQYAQIA
DwUCTEIOxgIbDAUJB4TOAAAKCRDUPGcN4EqqdEwpB/9HTZRwb0dILK3J3hrlL0Ov
ENYn92WlHOMfEBCwduV85NEPSU8NvwIDxZh8BTiCHLaU9F9CQ8Dmang/iRIGo9sb
weFidZHppPpYYw+4NLniDVZkEX0YaxomUV1efzQRL9bdbD/v2PgMULRJY+Gmkkhm
ArjIkVmBzr3kaxdE1GWckgjI+lNE2zWVsp/nxFf4GpyNW06Yu/6JG1PYKi+Gqz1F
7Y1CrbXOW2eCews4SmNFdzMLz8QaFt40gt4sdRI4jS7T9ctIzFbTN4+pkN+MRbDv
KHhk/UwCMBCmEVsleH3OA7WfbLJ9usANhz9JzSDHNXTyJKPtSSfoqYtWZ7EEny5h
=/vy8
-----END PGP PUBLIC KEY BLOCK-----
Links
Contributor to