lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 08 Aug 2008 22:27:13 +0300
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
To: Ben Laurie <benl@...gle.com>
Cc: security@...nid.net, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, OpenID List <general@...nid.net>,
	cryptography@...zdowd.com
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
	poisoning advisory

Ben Laurie:
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg@...rtcom.org>  wrote:
>    
>> This affects any web site and service provider of various natures. It's not
>> exclusive for OpenID nor for any other protocol / standard / service! It may
>> affect an OpenID provider if it uses a compromised key in combination with
>> unpatched DNS servers. I don't understand why OpenID is singled out, since
>> it can potentially affect any web site including Google's various services
>> (if Google would have used Debian systems to create their private keys).
>>      
>
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>    

Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc) 
which makes use of a compromised key has an actual problem and not *a* 
potential problem. Open ID as a standard isn't more affected than, lets 
say XMPP...If there are servers and providers relying on such keys the 
have a real actual problem. I don't see your point about Open ID nor 
didn't I see anything new....

The problem of weak keys should be dealt at the CA level, many which 
have failed to do anything serious about it.

> We have spotted other actual problems in other services. Details will
> be forthcoming at appropriate times.
>    

I think it's superfluous to single out different services since any 
service making use of the weak keys is affected, with recent discovery 
of DNS poisoning making the matter worse. I suggest you try a forum 
which can potentially reach many CAs, they in fact have everything at 
their disposal to remove this threat!


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom@...rtcom.org <xmpp:startcom@...rtcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390




Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (7327 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ