| blahdeblah | Any of you fine security folks know of any crypto research which might indicate that chacha20-poly1305 might be showing signs of weakness? AWS removed it from their latest SFTP security policy, and they didn't announce it or explain why. https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html#cryptographic-algorithms | 01:59 |
|---|---|---|
| sarnold | yikes | 02:00 |
| sarnold | this is news to me | 02:00 |
| blahdeblah | I contacted their docs folks and they said it wasn't deprecated, but didn't reply when I pointed out that it was removed from their latest policy. | 02:10 |
| blahdeblah | I wonder whether there is some embargoed research out there that's going to drop soon... | 02:11 |
| blahdeblah | But you'd think between March and now something would have happened if that were the case. | 02:11 |
| sarnold | maaaaaaaybe; some of the processor flaws have taken two years or something to be made public | 02:13 |
| blahdeblah | I would also have thought that the OpenSSH folks would be keen to make it public quickly if there wre an important flaw... | 02:13 |
| sarnold | depending upon what might have hypothetically been discovered, it might take a *long* time for the huge enterprises to pivot; we get launchpad bugs on some openssl3 things that busted interop with VPN devices that haven't fixed a 2009 CVE yet.. | 02:14 |
| sarnold | hah | 02:14 |
| sarnold | you're very familiar with openssh folks I see :) | 02:14 |
| blahdeblah | (no, just making assumptions) | 02:15 |
| blahdeblah | Anyway, I'll leave it in your capable hands, sarnold. Might be nothing, who knows? | 02:15 |
| sarnold | I also assume that if Someone found something Important and wanted to spend a few months coordinating something, they would *not* talk with the openssh folks until about two hours before the CRD | 02:15 |
| blahdeblah | haha | 02:15 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!