sfs8 pt1

[Peter Fairbrother]

Charles Lindsey wrote:
> On Mon, 29 Sep 2008 22:03:56 +0100, Dave Howe <DaveHowe@gmx.co.uk> wrote:
> 
>> Charles Lindsey wrote:
>>> Sure, that makes sense. If you are the administrator of the server, then
>>> presumably you have access to the public keys anyway, so nothing wrong
>>> with using them to debug your IP traces.
>>>
>>> But the article, as written, seemed to imply that the process could be
>>> performed from the client end. It needs to be more carefully written.
>>
>> I am more concerned that, in the absence of DHE, a RIPa request for the
>> server key could decrypt historic data....
> 
> Exactly.
> 
> But AIUI, it is the server that lists the options it will support, and 
> the browser that chooses which one will be used. Or is it the other way 
> around?
> 
> If it is the browser that chooses, and if, as reported, it chooses the 
> "first", is that the first in its list, or the first in the server's 
> list? If it is in _its_ list, then could reordering the list solve the 
> problem?
> 
> But, in any case, it will be easier for concerned users to fix their 
> browsers, or persuade the implementors to do so, than to persuade all 
> the servers out there to change.

Perhaps - but if you are concerned about your own security, rather than 
anyone else's, then you can offer only DHE options if you are a server, 
and only choose DHE options if you are a browser - however the latter is 
a bit harder for windowheads to implement, I expect.


I don't know who chooses though.


-- Peter Fairbrother