[cfarm-users] Automated deployment across multiple cfarm hosts
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Sep 18 04:46:28 CEST 2024
Jacob Bachmeyer via cfarm-users <cfarm-users at lists.tetaneutral.net> writes:
>512-bit RSA is definitely breakable and should not be used for a long-term
>key. 768 bits is also too short; 1024 is currently marginal and definitely
>not suitable for a high-value target, but impersonating a cfarm host will not
>get an attacker much other than (eventually) caught.
In this case it's really just a nuisance (in terms of getting warnings about
512-bit keys), they're public machines that anyone can request an account on,
used to test open-source software that anyone can get a copy of. It's a bit
like the joke that (Moxie Marlinspike?) made about people being paranoid about
encryption security being broken by the US government while accessing public
web sites run by the US government.
Same with the use of SHA-1, the attacks are chosen-prefix offline attacks
which means the attacker gets to select the initial state and then spend as
much time as they like on getting a collision, neither of which apply to SSH,
TLS, IPsec, etc.
So apart from the nuisance warnings there's not much need to do anything,
particularly if they're older systems that would be problematic to move to
newer SSH versions.
Peter.
More information about the cfarm-users
mailing list