lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 25 May 2008 21:15:55 +0200
From: niclas <lists@...enritter.de>
To: Alexander Klink <a.klink@...ops.de>,
  full-disclosure@...ts.grok.org.uk
Subject: OpenSSL-Bug still allows MITM,
 Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients
 in SSH DH	key exchange

Alex,

you recently wrote that you tested the CA-certificates - but you didn't
test the certificates which have been  *signed* by the CAs.

They are a serious problem. The attack described in your recent post can
easily be avoided by exchanging vulnerable certificates, BUT:

If somebody grabbed an old (vulnerable) certificate quickly he or she
could generate the private key which fits to it and then abuse the cert.
for a man in the middle attack.

I think all servers which had a vulnerable certificate, even for a short
time, are still not secure - at least as long as the old certificates
are still valid, which depends on the validity date saved in the
certificate, only.

No, CRLs don't work. Firefox for example does not check for CRLs
(default setting), making certificate revocation senseless. I assume,
other Browsers don't check CRLs either. And what about the german
tax-software ELSTER?

German CCC Member Fefe describes this here (english and german):
http://blog.fefe.de/?ts=b6c9ec7e

His post is dated 23rd of May. He says, somebody allready got the old
cert. of "a248.e.akamai.net".


My comment with screenshots of Firefox' settings pages and an error
message here (german):
http://blog.datenritter.de/archives/208-gefaehrliche-Angriffsmoeglichkeit-durch-das-OpenSSL-Debakel.html


I think the only option is to change domain names. :-(

IMHO Felix is totally right in his criticism of PKI. When you download a
browser you get a bunch of CA-Certificates but no reason to trust even a
few of them.

n.

> Everybody keeps talking about changing your keys and updating OpenSSL,
> but this is not the only issue with the Debian/OpenSSL debacle. Consider
> that someone has sniffed your SSH traffic (say at a securit conference?).
> If either a compromised server or client were involved, you have got
> a problem as the Diffie-Hellmann key exchange at the start of the
> SSH session can now be broken. This means that all the data (passwords,
> SSH tunnel anyone?) can now be considered compromised if you are
> reasonably paranoid.

(...)

> You can find the script at
> http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ