By the time you have read this, I will have given a talk at WordPress Leeds
the folks who organise the meetup are fantastic, and you should defini...
For further actions, you may consider blocking this person and/or reporting abuse
is this true? I was under the impression that things like TLS have both parties use their own private/public key pairs, something like diffie hellman to get a shared secret, then a KDF to derive a key that's never transmitted over the wire.
You're absolutely right. I'll need to think of how to change this slightly.
I wanted to somehow point out that, given enough compute time, the encryption can be brute forced after the fact. I think I'll just leave that bit out.
But I will edit this post/notes to strike through that bit.
Yeah, encryption keys are only valid for
n
numbers of operations, that number changes depending on the bit size of the key, but it's a pretty large number. But yeah, getting into that's kinda the nitty gritty.Even still, brute forcing even the smaller of AES keys (128 bits) takes a long time - not sure how accurate this is to today's compute, but from: eetimes.com/document.asp?doc_id=12.... in the uh, scientific notation of years!
Thank you again for follow-up security post, Jamie.
I am trying to understand by rephrasing.
In
Single Responsibility Principle
,So Is the rule of thumb is to "black list" everyone and open up access one by one?
Did I understand it correctly?
😲 I honestly didn't know!
Effectively yes. Think of your employer. Doea everyone in the world have access to your company building? I'd suspect that only those who need to be there so have access to it.
What about the server rooms? Assuming that you have on prem servers, of course. Is everyone at your work given admin access to the resources on your network? (please don't answer that one, just think about it).
You don't want to give everyone access to everything.
Yeah. The Secure Sockets Layer algorithm had too many potential flaws and was replaced with Transport Layer Security. From an end user perspective it's the same thing, though.
Thanks Jamie. Analogies did help solidify the concept 😀
You're welcome
That is a very interesting post.
I am always looking for good security related resources, so that I can push them to the developers I am working with and try to evangelize as musch developers as I can.
I wrote some on my own, but as you said, it is such a large topic, that it is very important to rely on other resources. :-)