Jump to content
Please Use CODE Tags

Is this encryption method secure?

ScratchCat
By ScratchCat
in Programming
 Share
Go to solution Solved by ChalkChalkson,
1 minute ago, JacobFW said:

But there's also the PR factor.  It's bad enough trying your damnedest to design a program to be secure and releasing it to the public, only for hackers to starting finding bugs in it.  If you release a product to the public with a known and critical security flaw, it will be found and it will utterly destroy, not just your company, but your own name, and your career in the security industry is over.

Actually disagree with you here. Mostly because OP seem to be focussed on building a program which has "good enough" security, not a program that is "secure" otherwise this would be a terrible place to post to. 

And in fact MITM attacks are so powerful, that the only way to get around it is 2 factor authentication. 

Speaking of which a possible other solution that can be done with moderate effort and is not terribly inconvenient is either using email as a second factor (as is so common in the industry) or much better sending an SMS to a mobile phone number setup at registration.

However this is still vulnerable to an MITM attack at signup, but hey if someone can do that, they can do pretty much anything

Posted
20 hours ago, Blade of Grass said:

Trust is an inherent issue in our CA system

It's not just that per se, as that is itself ultimately rooted in the bootstrap problem of cryptography.

Much like how people call TCP reliable, yet it is absolutely 100% impossible to create a reliable transport protocol on top of an unreliable medium.  It is literally impossible to establish a secure channel within an insecure medium.

 

Therefore we "solve" the problem of impossibility by bypassing the medium entirely at the start of the process (ie. sysadmins externally deciding to mutually trust a CA).  As you note, it is not a true solution, but it is the best approximation we have been able to come up with so far to a truly impossible problem.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 10/17/2017 at 11:05 AM, ChalkChalkson said:

Actually disagree with you here. Mostly because OP seem to be focussed on building a program which has "good enough" security, not a program that is "secure" otherwise this would be a terrible place to post to. 

And in fact MITM attacks are so powerful, that the only way to get around it is 2 factor authentication. 

Speaking of which a possible other solution that can be done with moderate effort and is not terribly inconvenient is either using email as a second factor (as is so common in the industry) or much better sending an SMS to a mobile phone number setup at registration.

However this is still vulnerable to an MITM attack at signup, but hey if someone can do that, they can do pretty much anything

OP should not be focusing like that. What good is a half-hearted approach to security? You either go all the way or don't waste your time. Even when you give your very best, we will still find a way in.

Join the Appleitionist cause! See spoiler below for answers to common questions that shouldn't be common!

Spoiler

Q: Do I have a virus?!
A: If you didn't click a sketchy email, haven't left your computer physically open to attack, haven't downloaded anything sketchy/free, know that your software hasn't been exploited in a new hack, then the answer is: probably not.

 

Q: What email/VPN should I use?
A: Proton mail and VPN are the best for email and VPNs respectively. (They're free in a good way)

 

Q: How can I stay anonymous on the (deep/dark) webzz???....

A: By learning how to de-anonymize everyone else; if you can do that, then you know what to do for yourself.

 

Q: What Linux distro is best for x y z?

A: Lubuntu for things with little processing power, Ubuntu for normal PCs, and if you need to do anything else then it's best if you do the research yourself.

 

Q: Why is my Linux giving me x y z error?

A: Have you not googled it? Are you sure StackOverflow doesn't have an answer? Does the error tell you what's wrong? If the answer is no to all of those, message me.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
7 hours ago, LtStaffel said:

OP should not be focusing like that. What good is a half-hearted approach to security? You either go all the way or don't waste your time. Even when you give your very best, we will still find a way in.

It has been replaced with a certificate system using RSA verification , it is simply a project where proving understanding of a system is better than using a completed implementation, even if it is ( certainly ) worse than a reference implementation. It would be as simple as adding the ssl module to the program in ~10 lines to have a secure solution. Even a half hearted approach is better than none , it at least delays decryption or makes it harder so that not every average joe will bother to try break it. 

 

Until a way is found to pass infinitely long one time pads to all users securely we will have a security risk, OTP is the only mathematically proven way to completely secure a transmission. At that point it is easier to obtain access to the system via vulnerabilities. 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×