Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Is this the end of the world as we know it? : Re: Is this the end of the world as we know it? Server Time
31 Jul 2024 04:24:15 EDT (-0400)
  Re: Is this the end of the world as we know it?  
From: Jim Henderson
Date: 16 Oct 2011 18:22:44
Message: <4e9b5934$1@news.povray.org>
 
On Mon, 10 Oct 2011 11:11:45 +0100, Invisible wrote:

>>> So, just because it does strong authentication, you think that means
>>> the actual data is encrypted?
>>
>> It's actually a certificate verification message, not a 'strong
>> authentication' message.  It's asking about an SSL certificate that's
>> used to encrypt the entire communications channel.
>>
>> You know, like actual security.
> 
> Fact: It doesn't matter how strong the authentication process is. This
> does not automatically mean that the data that follows is encrypted in
> any way at all.

No, it doesn't - the fact that it actually *is* encrypted is what means 
that it is, you know, encrypted.

>> Don't believe me?  Fine, I'll do a wireshark trace on it.
>>
>> Nope, 1200 packets, nothing in the clear.
> 
> And how do you tell whether random binary data is encrypted or not?

There's nothing "in the clear".  I connected to the system, opened a CMD 
window, and listed directory contents.

That, plus the fact that it, you know, actually is *documented* to be 
encrypted.

The fact that you don't *believe* the documentation doesn't, you know, 
actually mean it's not encrypted.

How do you know your VPN is encrypted?  Because it *says* so?  What are 
you, nuts? ;)

>> "128-bit encryption, using the RC4 encryption algorithm, as of Version
>> 6.
> 
> RC4? Man, how ancient is that? You realise it was a weakness in RC4 that
> allowed WEP to be broken, right?

Yes, I do.  However, *weak* encryption is still, you know, *encryption*.

>> Nope, I guess you're right.  Adding 128-bit encryption isn't security.
> 
> Fact: The number of bits in the encryption key is not directly related
> to how secure the encryption is. Triple DES has a 168-bit key, and it's
> widely considered far too insecure to use.

But it's still encryption.  You asserted that it's not encrypted.  I 
proved that it was.  Now, if you want to talk about encryption 
*strength*, that's different than, you know, whether it's encrypted or 
not.

>> "Support for Transport Layer Security (TLS) 1.0 on both server and
>> client ends (set as default)."
> 
> Now that's more like it.
> 
> (Sadly, on further investigation, it appears that TLS 1 still uses RC4
> or Triple-DES. So much for HTTPS being secure...)

But it's still *encrypted*, which you categorically claimed it wasn't.

>> Clearly I don't have a clue what I'm talking about.
> 
> I'm still left wondering how many of these features are actually turned
> on by default. Every Windows protocol I know of sends everything
> unencrypted by default, and most of them offer no possibility of adding
> encryption. I'd be rather surprised if RDP is different.

Well, it's just documented as being enabled by default.  Like your VPN.  
How do you know your VPN is actually encrypted?

>> Oh, and I pointed you at an SSH server for Windows.  It comes with
>> Cygwin.
> 
> Right. I didn't know about that when I set this up.

You knew about it before you made this post.  So now you know it's 
available so you can use it.  That is if you believe that SSH is actually 
encrypted.  After all, you just have the documentation to tell you that - 
because it's a stream of random binary data.  It may well not be 
encrypted.  You don't know.  Just like RDP.

Jim


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.