[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2008 15:51:34 +0100
From: "Ben Laurie" <benl@...gle.com>
To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
Cc: security@...nid.net, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com, OpenID List <general@...nid.net>,
cryptography@...zdowd.com
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
poisoning advisory
On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg@...rtcom.org> wrote:
> This affects any web site and service provider of various natures. It's not
> exclusive for OpenID nor for any other protocol / standard / service! It may
> affect an OpenID provider if it uses a compromised key in combination with
> unpatched DNS servers. I don't understand why OpenID is singled out, since
> it can potentially affect any web site including Google's various services
> (if Google would have used Debian systems to create their private keys).
OpenID is "singled out" because I am not talking about a potential
problem but an actual problem.
We have spotted other actual problems in other services. Details will
be forthcoming at appropriate times.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists