How To (And Not To) Make the Online Trust Honor ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

RetiredUser,
User Rank: Ninja
7/31/2017 | 2:46:22 PM

Re: impersonization, forgery, and fakes

100% behind you here, mack. There is room for the Public Key Model to improve, of course. Read an interesting paper "Soundness in the Public-Key Model" by Silvio Micali and Leonid Reyzin. From the ABSTRACT:

The public-key model for interactive proofs has proved to be quite effective in improving protocol efficiency (see Canetti, Goldreich, Goldwasser, Micali, STOC 2001). We argue, however, that its soundness notion is more subtle and complex than in the classical model, and that it should be better understood to avoid designing erroneous protocols. Specifically, for the public-key model, we:

identify four meaningful notions of soundness;
prove that, under minimal complexity assumptions, these four notions are distinct;
identify the exact soundness notions satisfied by prior interactive protocols; and
identify the round complexity of some of the new notions.

Reply | Post Message | Messages List | Start a Board

100%

macker490,
User Rank: Ninja
7/18/2017 | 8:21:33 AM

impersonization, forgery, and fakes

what do the sites do to prevent the "Bad Guys" from impersonating them -- or transmitting fakes and forgeries?

sites focus tons of effort on identifying their customers.    but what do customers do in order to authenticate sites?

we rely on a large list of x.509 certificates -- published by our web browsers -- and most of us -- have no clue what's in that list.

For Critical Sites Only:    we all need to COUNTERSIGN trusted certificates using our own PGP/GnuPG key

in the Public Key Model this step is required in order to validate a key.   Keys must be validated before a trust level can be assigned.

give this some thought.   "They" want to authenticate you -- but -- you need to authenticate them -- and the model we use today -- fails.   That's an F

Reply | Post Message | Messages List | Start a Board

Editors' Choice

How SolarWinds Busted Up Our Assumptions About Code Signing

Dr. Jethro Beekman, Technical Director, 3/3/2021

'ObliqueRAT' Now Hides Behind Images on Compromised Websites

Jai Vijayan, Contributing Writer, 3/2/2021

Attackers Turn Struggling Software Projects Into Trojan Horses

Robert Lemos, Contributing Writer, 2/26/2021

Live Events

Webinars

Interop Digital - Free Cybersecurity Event April 29

Communications & Collaboration: 2024 (March 9-10)

AI and ML: Implications for Enterprise Security (April 29)

More Informa Tech Live Events

White Papers

7 Experts on Implementing Microsoft Defender for Endpoint

A Guide to Build vs Buy Service Models for Threat Detection and Response

Simplify Your Application Security

How to Build Your Incident Response Plan

MontanaPBS Shifts to Agile Broadcasting with Help from Raritan KVM Solutions

More White Papers

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: George has not accepted that the technology age has come to an end.

Cartoon Archive

Current Issue

2021 Top Enterprise IT Trends

We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

How Enterprises are Developing Secure Applications

Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Download Now!

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-26814
PUBLISHED: 2021-03-06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...

CVE-2021-27581
PUBLISHED: 2021-03-05

The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.

CVE-2021-28042
PUBLISHED: 2021-03-05

Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.

CVE-2021-28041
PUBLISHED: 2021-03-05

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

CVE-2021-3377
PUBLISHED: 2021-03-05

The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]