The CAcert Privacy Policy was updated. Joined newly to the Policy are the privacy of the issued certificate and the data accessible to Assurers is defined more exactly now.
The whole Privacy Policy could be found under: https://www.cacert.org/index.php?id=10 or as usual at the bottom of each webpage of cacert.org.
A new vulnerability associated with RSA cryptography has been found, which works by spying the CPU internals with a spy program running on the same computer as the crypto application. Dedicated systems (like CAcert´s certificate generation) are not affected, only multi-tasking and multi-user systems are affected.
http://it.slashdot.org/article.pl?sid=06/11/18/2030247
A New Vulnerability In RSA Cryptography
Posted by kdawson on Saturday November 18, @04:45PM
from the predictions-of-trouble dept.
romiz writes, “Branch Prediction Analysis is a recent attack vector
against RSA public-key cryptography on personal computers that relies
on timing measurements to get information on the bits in the private
key. However, the method is not very practical because it requires
many attempts to obtain meaningful information, and the current
OpenSSL implementation now includes protections against those attacks.
However, German cryptographer Jean-Pierre Seifert has announced [1]a
new method called Simple Branch Prediction Analysis that is at the
same time much more efficient that the previous ones, only needs a
single attempt, successfully bypasses the OpenSSL protections, and
should prove harder to avoid without a very large execution penalty.”
From the article: “The successful extraction of almost all secret key
bits by our SBPA attack against an openSSL RSA implementation proves
that the often recommended blinding or so called randomization
techniques to protect RSA against side-channel attacks are, in the
context of SBPA attacks, totally useless.” [2]Le Monde interviewed
Seifert (in French, but Babelfish works well) and claims that the
details of the SBPA attack are being withheld; however, a PDF of the
paper is linked from the [3]ePrint abstract.
1. http://eprint.iacr.org/2006/351
2.
http://www.lemonde.fr/web/article/0,1-0@2-651865,36-835944@51-835781,0.html
3. http://eprint.iacr.org/2006/351
We would like to announce the availability of free PDF signature applications:
PortableSigner from http://portablesigner.sourceforge.net is a nice application with a GUI.
CAcert PDF Signer is an older, commandline only application.
Both applications are running on Java, and use the iText library, and should work on Linux, MacOSX and Windows.
http://wiki.cacert.org/wiki/PdfSigning
At the Usenix LISA’06 conference in Washington DC there will be a PGP signing party and CAcert Assurance event at the 5th of December 2006 at 8pm Wardman Park Mariott Hotel. Continue reading
RegisteredCommons is a new web-service aimed to provide a secure and trusted registry of audio, video, picture and text works. It will be launched at the 4th Wizards of OS Conference in Berlin together with Lawrence Lessig, co-founder of Creative Commons. RegisteredCommons will be using CAcert certificates for authenticating authors.
CAcert Assurance will be offered at the Wizards of OS conference in Berlin.
SHA-1 has just been broken a bit more: http://www.heise-security.co.uk/news/77244
CAcert is aggressively moving to SHA-2 as we speak.
Microsoft will support SHA-2 only in Windows Vista according to our sources.
Debian Stable, FreeBSD and OSX don´t provide SHA-2 in their current versions.
SuSE, Knoppix, FC5, Ubuntu, Mandriva, … all support SHA-2 already.
Read more details about SHA-2 support of various applications and distributions on http://wiki.cacert.org/wiki/HashInterop
Please contact your vendor to tell them that you need SHA-2 support!
http://en.wikipedia.org/wiki/SHA
At the SANE2006 system and network admin conference running from 15th of May 2006 up to Friday 19th of May 2006 in Delft, Holland (see SANE2006) CAcert Assurances as well PGP signing can be done. At Wednesday 17th of May 2006 there is from 18:30 a special (free entrance) Bazar with a CAcert booth to obtain your assurance or to assure others.
The event location is: TU Delft, Aula Congress Centre, Mekelweg 5, Delft, Holland.
Be prepared and do your preparations see CAcert web site or SANE2006 CAcert info.
At the annual technical USENIX’06 conference running from 30th of May till June 3rd, 2006 in Boston, USA you will be able to be assured by CAcert Assurers and obtaining more information at the Birds of Feather session at one of the evenings at the conference. If you only want to be assured and not attend the conference feel free to walk in and ask for a CAcert Assurer. If you want your PGP key signed feel free to drop in as well.
Be prepared and visit the CAcert web site for the preparations (Assurer Forms, registration account, etc.).
For more information see BOSTON06
The Electronic Frontier Foundation filed the legal briefs and evidence supporting its motion for a preliminary injunction in its class-action lawsuit against AT&T, claiming that AT&T is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment.
EFF Breaking NewsThe issue of statistics came up again today (as it does from time to time), currently CAcert is experiencing linear growth rates both in the number of certificates issued each month and the numbers of new signups. Assurances tend to be a bit spikey depending how many conferences attended.
In any case, the number of certificates issued has more then doubled in the past 10 months (about May last year is the half way point) so one must wonder where things are headed if the same trend continues.
Some quick stats for people, about the begining of this month we issued our 100,000th certificate, and about the same time we had our 50,000th signup, and by this time next year we could easily have more then double both those numbers.