Web Security Thread

ITT we discuss web security.

>>26

therefore you can't meet people in college

Not what I said.

>>29,30
It only has some collision attacks, it does not have any important preimage attacks.

Hardened Md5-2
Drop the block C nl input, and xor the data input into state C

inb4 collisions everywhere

>>41
are you actually trolling? there's no need for better-than-bruteforce preimage attacks when bruteforce is fast as fuck.

collide with my dubs!

\(H(10, H(10, H(00, i_0) \oplus H(01, i_1)) \oplus H(11, H(00, i_2) \oplus H(01, i_3)))\)
for H = chacha12 or whatever

Good luck brute-forcing \(2^{123}\) md5 evaluation in order to achieve a preimage within this aeon. You know that this is similar to the security provided by AES 256, right? Edited on 11/06/2018 13:37.

>>43↵
Good luck brute-forcing \(2^123\) within this aeon. You know that this is similar to the security provided by AES 256, right?
Good luck brute-forcing \(2^{123}\) md5 evaluation in order to achieve a preimage within this aeon. You know that this is similar to the security provided by AES 256, right?

>>46
IHBT and I'm ashamed of even replying to you

>>47
Please never work for anything security related.

>>48
on the other hand, I hope you do work for security-related stuff and put that 'secure' MD5 everywhere. its's is just like AES!

Ah, so it does do four rounds of each input, lol
It'd be swiss cheese otherwise

>>49
You are on a web security thread, how can you not know the difference between preimage and collision attacks? And how can you claim that brute-forcing through a \(2^{128}\) sized-set be fast?
Sure, tell me how in this case it is less safe than AES.

>>21
What type of people should one befriend, and how?
Extroverted looking people, by means of kindness and cock sucking?

>>52

How? Food, drinking, clubs, group projects, study groups, etc. I have met friends while studying abroad (other people from the same uni who were studying abroad with me). I have gotten close to a few professors. I hang out with my coworkers. I still stay in touch with old high school friends. I go to events on campus. I go to meet ups and user groups. I meet people on Twitter and in my uni’s slack team and we get together for extracurricular stuff or studying for tests.

People I meet introduce me to other people. I have made apps and websites with people. I go to the gym with my friends. I have roommates. I move every now and then and get new roommates.

I use most major social media platforms. I invite people to hang out using group chats. I add people even if we’re not really close. I come up with group projects we can do, instead of just hanging out and talking and doing nothing. I go out to eat a lot. I study in the library instead of my apartment. I join clubs, even if I quit them later. I email people even if there isn’t much of a chance of it leading to anything.

I even get invited to parties every now and then, though I am far from a social butterfly. I am not the life of the party and sometimes I am awkward. But I still put myself out there.

I am going to start teaching someone web development soon. I talk to people in my classes. I ask questions in my lectures. I go to office hours.

All these opportunities were possible thanks to me going back to college. But you can still do some of these things even without college. It’s harder though. College makes it easy to make friends and useful acquaintances. It’s not just about learning differential equations and object oriented programming and databases and shit. The social aspect is the most important for your career and personal development.

I would not describe myself as extroverted. I think I am rather quiet and reserved. But you have to put yourself out there, even if it’s uncomfortable. Sometimes, you will meet extroverted people. But sometimes it’s useful to get close to introverted people too, due to their skill sets or connections.!i fail with my social interactions sometimes. Some people don’t get along with me, some people think I am awkward. But fear of failure can’t hold you back. That is way too self-limiting.

No man is an island. We are not lone wolves. We need to be a part of some kind of community, or even multiple communities.

I also give people rides or help them with things if they need it. People remember things like that.

>No man is an island. We are not lone wolves. We need to be a part of some kind of community, or even multiple communities.
Everyone's expendable and no-one has a real friend.
I believe at heart everyone's a killer.

*pukes*

>>51
here's a thing: preimage resistance doesn't mean much in the context in which MD5 was used. if you have a database full of MD5'd passwords, just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts (it wouldn't be if people used truly random and unique passwords, but this isn't realistic unless everyone uses a password manager). that's why we use dedicated password hashing algorithms.

the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions. it was even exploited in the wild by the Flame malware: https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

tl;dr not having known preimage attacks doesn't make it suitable for cryptographic uses

>>57

preimage resistance doesn't mean much in the context in which MD5 was used

Preimage resistance means a lot actually.

just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts

MD5
Don't use shitty short passwords? You only need 20 characters (0-9a-zA-Z) to reach 128 bits of security.
In fact, if your hashed password has been leaked, what is the point of protecting the actual password? Chances are that the rest of the information about your account have been leaked and tampered with. This is why you should use public key authentication instead.

the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions

Collisions in certificates only matter if you need to sign someone else's data (such as in OpenPGP and in cases with CAs). It is not an issue if you are a CA and you generate the certificate yourself, it is not an issue if you use OpenPGP + MD5 and never sign other people's keys, it is not an issue if you use a self-signed certificate.

https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

The issue here was that the generated certificate was attacked-controlled (a common issue when you rely on a 3rd party CA) and was signed by MS afterwards. We know that MD5's collision resistance is broken so it was a stupid move by MS to use it for something that needed collision resistance.

Meanwhile MD5 is totally safe for things like self-signed certificates and password hashing. It is also safe if used with any algorithm that only needs preimage resistance such as Ed25519 or SPHINCS(+).

>>58

Don't use shitty short passwords? You only need 20 characters (0-9a-zA-Z) to reach 128 bits of security.

when you have to use 56789 different passwords with 242475889 different retarded rules about what constitues a valid password, some of them will end up short and shitty unless your're are using a password manager. but that has some usability-related caveats too.

In fact, if your hashed password has been leaked, what is the point of protecting the actual password? Chances are that the rest of the information about your account have been leaked and tampered with. This is why you should use public key authentication instead.

most places on the internet and even on the corporate intranets don't use pubkey though. mym'am SSH on a remote server does, but how many things accessible through a browser have that option?

Meanwhile MD5 is totally safe for things like self-signed certificates and password hashing. It is also safe if used with any algorithm that only needs preimage resistance such as Ed25519 or SPHINCS(+).

I'd rather use specialized password-hashing functions which were designed to be bruteforce-resistant. scrypt, bcrypt, argon2. in fact, their're are also pretty good for generating symmetric keys from passwords

>>59

but that has some usability-related caveats too.

The only caveat is that some sites do not let the firefox password manager work correctly because they think that they are smart or some shit.

most places on the internet and even on the corporate intranets don't use pubkey though

They should then. We should make password authentication as insecure and painful as possible so they end up forced to use pk authentication.

how many things accessible through a browser have that option?

Until very recently client-side certificates in TLS leaked shit like username and other stuff. I suggest we purge TLS once we make the move to client side public keys.

scrypt, bcrypt, argon2

All except script and pbkdf2 are cancerous shitware, the mainstream argon2 implementation does not even follow their own standard and ends up with a different result. Not to mention that there are outstanding security issues with it for years that were ignored by its creators. Not to also mention that it uses BLAKE2 which is yet another Zooko scamware and downgrade from BLAKE or SHA-3 and other Keccak/sponge based constructions.

bcrypt.. do people still use that in this day and age?

As for script and pbkdf2, you can use MD5 with them.

MD6 would have been good because merkle trees are good, I love trees, I breed with trees. Non-parallel constructions like MD are shite and spread AIDS. They are the reason why we have length extension attacks. Yet we are stuck with these.

>>60

The only caveat is that some sites do not let the firefox password manager work correctly because they think that they are smart or some shit.

the other caveat is that you need to have an OS running to run a password manager, so you need a separate password for OS and/or for disk encryption. my employer has bullshit rules for domain password, which is obviously used for the OS, and I don't think there's a good way of using a manager for that

Until very recently client-side certificates in TLS leaked shit like username and other stuff. I suggest we purge TLS once we make the move to client side public keys.

I agree, TLS is shit.

>As for script and pbkdf2, you can use MD5 with them.
but why not use sha3 with them?

>>61

so you need a separate password for OS and/or for disk encryption

OS/Disk encryption does not provide authentication - that will not protect you from software nor hardware keyloggers. This is one more reason why we should move to pk crypto.

but why not use sha3 with them?

Performance or compatibility reasons? I would not know, I use PBKDF2 with 2^16 rounds + SHAKE256 for mine.

>>62
OS/Disk encryption still requires a way to input the key, and having key derived from a password through a password derivation function is a decent enough compromise