SoylentNews is people
SoylentNews
Just recently, I moved my personal website to HTTPS, making sure to use a secure 2048-bit RSA key and TLS 1.2, and guarding against vulnerabilities such as POODLE and Logjam. It took some work, but not that much work, even for doing the research. Yet there are some people who just don't care.
Due to a new technique, 512-bit keys are now completely vulnerable for as little as $75.
The technique, which uses Amazon's EC2 cloud computing service, is described in a paper published last week titled Factoring as a Service .
[...] The researchers concluded that despite widespread awareness that 512-bit keys are highly susceptible to breaking, the message still hasn't adequately sunk in with many administrators. The researchers wrote:
512-bit RSA has been known to be insecure for at least fifteen years, but common knowledge of precisely how insecure has perhaps not kept pace with modern technology. We build a system capable of factoring a 512-bit RSA key reliably in under four hours. We then measure the impact of such a system by surveying the incidence of 512-bit RSA in our modern cryptographic infrastructure, and find a long tail of too-short public keys and export-grade cipher suites still in use in the wild. These numbers illustrate the challenges of keeping an aging Internet infrastructure up to date with even decades-old advances in cryptanalysis.
The article reports finding a significant number of sites that are still using 512-bit RSA keys to protect HTTPS, DNSSEC, ssh, e-mail (SMTP, POP3, and IMAP), and other services.
(Score: 2) by stormwyrm on Wednesday October 21 2015, @09:46PM
To get a map and print it out and make sure that it's the real map? Check webmail for something you believe is disposable? You might believe something is disposable but do remember that miscreants can always find creative uses for such things that you haven't thought of. I'd say 2048 at least, or 4096 even better. I'd say a bit of paranoia is better given that it in this day and age when Moore's Law has given us so much computing power it doesn't really cost that much more to be using 4096-bit keys rather than 512. Can you really notice the difference when connecting to such sites? And if someone out there is still using a weak key like that how do you know they aren't using it to encrypt other data that you do care about? Better to use something stronger when possible. There is no reason and no excuse to be using a 512-bit key in this day and age!
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by deimtee on Thursday October 22 2015, @02:00AM
And really, for some of the connections, it 512 is fine. How many bits of encryption do you need to get a map and print it out or check webmail for something you believe is disposal? The right tool for the right job.
To get a map and print it out and make sure that it's the real map?
If I ask for a map, I expect it within a few seconds. Even if someone wants to spend $75 and crack the encryption, I am not going to wait four hours for them to fudge around with it. For certifying that content is not tampered with, 512 bits is fine.
If you have something that needs to remain secret then sure, you need more bits.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by stormwyrm on Thursday October 22 2015, @02:08AM
Numquam ponenda est pluralitas sine necessitate.