| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Aug 2008 15:51:34 +0100 From: "Ben Laurie" <benl@...gle.com> To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org> Cc: security@...nid.net, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, OpenID List <general@...nid.net>, cryptography@...zdowd.com Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg@...rtcom.org> wrote: > This affects any web site and service provider of various natures. It's not > exclusive for OpenID nor for any other protocol / standard / service! It may > affect an OpenID provider if it uses a compromised key in combination with > unpatched DNS servers. I don't understand why OpenID is singled out, since > it can potentially affect any web site including Google's various services > (if Google would have used Debian systems to create their private keys). OpenID is "singled out" because I am not talking about a potential problem but an actual problem. We have spotted other actual problems in other services. Details will be forthcoming at appropriate times. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists