lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Dec 2008 15:29:54 -0800
From: chort <chort0@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Creating a rogue CA certificate

On Tue, Dec 30, 2008 at 2:42 PM, n3td3v <xploitable@...il.com> wrote:
> On Tue, Dec 30, 2008 at 10:29 PM,  <Valdis.Kletnieks@...edu> wrote:
>> On Tue, 30 Dec 2008 20:10:16 GMT, n3td3v said:
>>> Aiding script kids to get credit card numbers out of folks e-commerce
>>> purchases.
>>
>> Dear Idiot:
>>
>> This is hardly an attack that the average script kiddie can pull off.
>>
>
> Until HD Moore releases an attack module for it.

Since you're so certain this is possible, could you kindly summarize
(at a high level, no need for detail) how this could be accomplished?

Now that you're unable to do so, I will explain why:  Because you
don't have a clue how PKI works, much less how it's possible to
exploit it, which is really tragic considering there are plenty of
pretty graphs and dumbed-down explanations out there now that even a
drop-out should be able to comprehend.

Assuming source code, or even full attack details, are published any
time soon, will HD Moore also be sending out free super-computing
clusters to find the MD5 collisions?  Well he be sending free money to
buy the certificates required to accurately predict the serial number
to generate?  This isn't some SQL injection or remote buffer overflow,
there are a lot of manual steps involved that cannot simply be plugged
into a generic attack platform.

You're an ignorant fool.  You should ask questions to learn how things
work before you spout opinions.  Statements are only thought-provoking
if they're made based on comprehension of the subject matter.  The
only thing you have full comprehension of is how to hit Send, and
that's quite unfortunate.


-- 
chort

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ