| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B329306FE667@BE35.exg3.exghost.com> Date: Mon, 26 May 2008 09:15:22 -0400 From: "Larry Seltzer" <larry@...ryseltzer.com> To: <full-disclosure@...ts.grok.org.uk> Subject: Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange >>> No, CRLs don't work. Firefox for example does not check for CRLs >>> (default setting), making certificate revocation senseless. I assume, >>> other Browsers don't check CRLs either. And what about the german > That is indeed a problem. AFAIK IE 7 on Vista now does some CRL checking > by default, but I haven't tried it yet. I did some research on this recently, and the story for browser support is actually much more complicated. In addition to CRLs there is a protocol called OCSP for checking the status of a specific certificate by serial number. * Internet Explorer 6 and Internet Explorer 7 on Windows XP support CRL checking but default to not using it. * Firefox 1 and 2 support both OCSP and CRL, but default to using CRL. * Internet Explorer 7 on Vista and Firefox 3 support both OCSP and CRL and default to using OCSP. Opera 8.5 and later supports only OCSP and uses it by default. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer@...fdavisenterprise.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists