Seer of the tapes! Knower of the episodes!

  • 0 Posts
  • 46 Comments
Joined 1 year ago
cake
Cake day: July 3rd, 2023

help-circle














  • “If lawmakers want to rein in the harms of social-media platforms, targeting just one under the guise of national security ignores an entire industry predicated on surveillance capitalism. Like all popular platforms — including those that Meta and Google own — TikTok collects far too much user data. But banning a single platform will not address the privacy problem that’s rotting the core of the entire tech industry.

    If domestic social media is collecting dangerous amounts of personal info about Americans, then foreign social media under who are subject to the laws of adversarial nation-states should be seriously concerning.

    The matter of domestic social media will have to be addressed by a completely different law because it cannot be addressed by a law similar to this new one. People who bring up domestic social media in discussions of this law are completely missing the point.



  • SSL/TLS, the “S” in HTTPS, and other network encryption protocols such as SSH, use a technique called a Diffie-Hellman key exchange. This is a mode of cryptography where each side generates two keys: a public half and a private half. Anything encrypted with the public half is only decryptable by the associated private half (and vice versa).

    You and Youtube only ever exchange the public halves of your respective key pairs. If someone snoops on the key exchange all they can do is insert spoofed messages, not decrypt real ones.

    Moreover, the keypairs are generated on the fly for each new session rather than reused. This means that even a future compromise of youtube won’t unlock old sessions. This is a concept called forward secrecy.

    Message spoofing is prevented by digital signatures. These also use the Diffie-Hellman principle of pairs of public/private keys, but use separate longer-term key pairs than those used with encryption. The public half of youtube’s signing key, as presented by the server when you connect to it, has to be digitally signed by a well-known public authority whose public signing key was shipped with your web browser.




  • Even the researcher who reported this doesn’t go as far as this headline.

    “I am an admin, should I drop everything and fix this?”

    Probably not.

    The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection’s traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection’s encryption mode.

    […]

    “So how practical is the attack?”

    The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the client or server to the remote peer. This is difficult on the Internet, but can be a plausible attacker model on the local network.

    https://terrapin-attack.com/