fastmail connection problems - Page 2

robert@fm · 27 Aug 2013, 08:11 PM

In response to this thread, I have posted a Connection settings page on the wiki. After all, this sort of thing is why the wiki exists.

CCS · 6 Sep 2013, 11:07 PM

Quote:

Originally Posted by CCS

Probably the thing that is new about the revised SSL standards is that a backdoor has been inserted for the NSA.

So, it might be a good idea for anyone concerned with possibly having a semblance of security to use

insecuressl.messaging engine.com

so that they can continue to make use of the old SSL standards which might lack a backdoor.

Using the old SSL may not guarantee real security, but it is certain that the "new standards" have had vulnerabities and/or backdoors inserted into them to deliberately compromise their security. Eliminating security is probably the main purpose for their introduction. The recent changes that broke Pegasus probably decreased whatever security Fastmail users previously enjoyed. I will certainly ask that Pegasus NEVER accommodate to the NSA's newly compromised SSL.

Revealed: How US and UK spy agencies defeat internet privacy and security

Quote:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
...
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
...
Among other things, the program is designed to "insert vulnerabilities into commercial encryption systems". These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as "adversaries".
...
The documents show that the agency has already achieved another of the goals laid out in the budget request: to influence the international standards upon which encryption systems rely.

Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
...
"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".

CCS · 11 Sep 2013, 12:20 PM

A Few Thoughts on Cryptographic Engineering: On the NSA by Matthew Green

Quote:

If you haven't read the ProPublica/NYT or Guardian stories, you probably should. The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:

1. Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
2. Influencing standards committees to weaken protocols.
3. Working with hardware and software vendors to weaken encryption and random number generators.
4. Attacking the encryption used by 'the next generation of 4G phones'.
5. Obtaining cleartext access to 'a major internet peer-to-peer voice and text communications system' (Skype?)
6. Identifying and cracking vulnerable keys.
7. Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
8. And worst of all (to me): somehow decrypting SSL connections

robert@fm · 10 Sep 2014, 10:55 PM

Pegasus Mail (build 4.74, February 2014) now uses the same OpenSSL library as Fastmail, hence the two are now working together again.

10 Sep 2014, 10:55 PM	#19
robert@fm The "e" in e-mail Join Date: Feb 2002 Location: London, UK Posts: 4,681	Pegasus Mail Pegasus Mail (build 4.74, February 2014) now uses the same OpenSSL library as Fastmail, hence the two are now working together again.

27 Aug 2013, 08:11 PM	#16
robert@fm The "e" in e-mail Join Date: Feb 2002 Location: London, UK Posts: 4,681	In response to this thread, I have posted a Connection settings page on the wiki. After all, this sort of thing is why the wiki exists.