Re: Network security manager

[Lars Magne Ingebrigtsen]

"Garreau, Alexandre" <address@hidden> writes:

> No, the developers had the idea and gave some examples of usages
> (background change within firefox according domain name’s vizhash to
> prevent unicode-phishing for instance, or password verification, or
> things like that) without taking care of spreading the idea (which I
> think could have a real success).

Right.

> Oh, I thought gnutls could give an md5 of pubkey since certtool --info
> give the md5sum just before the sha1… Anyway if it’s to gnutls to
> calculate it it means it’ll be less secure and more likely to find
> collisions… :/

If I remember correctly, it gives both md5 and sha1 of the certificate
ID, but not the public key ID.

The gnutls function for getting the public key ID is
gnutls_x509_crt_get_key_id, which does not take the hashing function as
an input -- it just outputs the sha1.

My take on the situation is that I think stuff like this:

function hashString(text) {
  var hash = hex_sha1(text) + hex_md5(text);
  return hash + hash.split('').reverse().join('');
}

(i.e., sha1+md5, and then add a reversed version of that to get plenty
of values to make drawings out of) is unlikely to get much uptake as a
visualisation method throughout the industry.

I like the idea: Showing a (somewhat) memorable image (and it's
certainly a lot more memorable than the ssh "random art").  But if this
doesn't get any uptake outside of Emacs, is it worth doing in Emacs?

Of course, the images we show in Emacs could be Emacs-"proprietary".
But then we could just disregard the vizhash implementation completely
and do our own algorithm based on better hashes.

I think.

Anyway, to implement the algorithm as is, we'd have to replicate most of
gnutls_x509_crt_get_key_id to get at the md5.  That's not a major issue,
but...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no