Tag Archives: encryption

Telegram 使用 CDN 加速下載

Telegram 說明他們將會使用 CDN 加速:「More Speed and Security!」。 資料在 CDN 的節點上是加密的,金鑰需要透過 Telegram 的 key server 提供: While these caching nodes are only used to temporarily store public media (imagine Telegram versions of superpopular YouTube hits), all data that goes through them … Continue reading

Posted in CDN, Computer, Murmuring, Network, Privacy, Security, Service, Software, WWW | Tagged , , , , , , , , , , , , , | 1 Comment

AES-GCM-SIV

在「AES-GCM-SIV: Specification and Analysis」這邊看到 AES-GCM-SIV 的作者自己投稿上去的資料,是個已經被放進 BoringSSL 並且在 QUIC 上使用的演算法: We remark that AES-GCM-SIV is already integrated into Google's BoringSSL library \cite{BoringSSL}, and its deployment for ticket encryption in QUIC \cite{QUIC} is underway. 在 RFC 上的說明解釋了這個演算法的目的是希望當 nonce 沒有被正確實作時仍然可以有比 AES-GCM 強的保護: … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , | Leave a comment

Amazon Redshift 可以讀 S3 裡被 KMS 加密過的資料了

清資料時發現支援了:「Amazon Redshift now supports encrypting unloaded data using Amazon S3 server-side encryption with AWS KMS keys」: The Amazon Redshift UNLOAD command now supports Amazon S3 server-side encryption using an AWS KMS key. 這樣資料丟上 Amazon S3 時可以透過 AWS KMS 加密保存,而 Amazon … Continue reading

Posted in AWS, Cloud, Computer, Database, Murmuring, Network, Security, Software | Tagged , , , , , , , , , | Leave a comment

Google Cloud Platform 提供 Cloud Key Management Service

GCP 提供 Cloud Key Management Service (目前是 beta),將對 key 的處理 (像是加解密) 變成服務的一部分。 費用的部份,比較大的量應該會在「Key use operations (Encrypt/ Decrypt)」這塊?每一萬次收 USD$0.03。 自己建會有一堆稽核問題要處理,有人建起來後直接用,拔責任直接拆開的確是比較方便...

Posted in Cloud, Computer, Murmuring, Network, Security | Tagged , , , , , , , , , , , | Leave a comment

前陣子在 Black Hat 上發表的 HEIST 攻擊 (對 HTTPS 的攻擊)

又是一個對 HTTPS 的攻擊:「HEIST attack on SSL/TLS can grab personal info, Black Hat」、「New attack steals SSNs, e-mail addresses, and more from HTTPS pages」。 一樣是 Compression 產生的 side-channel attack,只是這次是結合 TCP window size 的攻擊。投影片可以在「HTTP Encrypted Information can be Stolen through TCP-windows (PDF)」這邊看到。 這次的攻擊只需要在瀏覽器上插入 … Continue reading

Posted in Browser, Computer, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , , , , , | Leave a comment

CIA 老大告訴參議員,在加密系統裡放後門是可行的,因為沒有公司可以逃離美國魔掌

如同標題講的,CIA 老大 John Brennan 告訴參議員,因為實務上不存在「Non-US encryption」,所以強制任何要進入美國的企業使用美版帶有後門的加密系統是可行的:「Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate」。 CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no … Continue reading

Posted in Computer, Murmuring, Network, Political, Security, Social | Tagged , , , , , , , , , | Leave a comment

Google 刻意讓 Allo 不安全的方法

兩篇文章與一則 tweet 剛好可以一起看。 兩篇文章分別是「Don't Use Allo」講 Google Allo 預設沒有加密的問題,與「How Technology Hijacks People’s Minds — from a Magician and Google’s Design Ethicist」講如何設計產品來改變人的行為。 在市場上的領先者 Whatsapp 已經啟用預設 end-to-end encryption 後,Google Allo 之所以不是預設加密的原因,是基於這樣的設計方法,因為 Google 並不想要加密: Businesses naturally want to make the choices they want you to … Continue reading

Posted in Computer, Murmuring, Network, Security, Social, Software | Tagged , , , , , , | 2 Comments

Amazon Fire 會把加密系統弄回來

在 FBI 與 Apple 的戰爭開打後,愈來愈多安全與隱私問題被重新拿出來檢驗,而 Amazon 也決定將 2015 年拔掉的加密功能搬回 Fire OS 裡:「Amazon Reverses Course, Encryption Returning for Fire Devices」: Amazon.com Inc. will restore encryption as a security option on its tablets and other devices that use the Fire operating system, … Continue reading

Posted in Computer, Hardware, Murmuring, Network, OS, Security, Software | Tagged , , , , , , , , , , | Leave a comment

百度被抓到蒐集個資後還是要蒐集...

在「Thousands of apps running Baidu code collect, leak personal data - research」這篇裡,加拿大的研究團隊 Citizen Lab 發現百度的 Android SDK 使用非加密傳輸這些個資: The unencrypted information that has been collected includes a user's location, search terms and website visits, JeffreyKnockel, chief researcher at Citizen Lab, … Continue reading

Posted in Computer, Murmuring, Network, Security, Software, Telephone, WWW | Tagged , , , , , , , , , | Leave a comment

GitHub 的 SSL (HTTPS) 也支援 PFS 與 AE 了...

GitHub 在 2013 年底的公告:「Introducing Forward Secrecy and Authenticated Encryption Ciphers」。 愈來愈多服務升級 & 調整 SSL (HTTPS) 的設定,支援 PFS (Perfect Forward Secrecy) 與 AE (Authenticated Encryption)。 PFS 要預防的事情我可以理解,但對 AE 的必要性不熟啊... 再去看看整個理論基礎與目的好了...

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , | Leave a comment