Full Disclosure mailing list archives
Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg () startcom org>
Date: Fri, 08 Aug 2008 14:44:56 +0300
Ben Laurie:
Security Advisory (08-AUG-2008) (CVE-2008-3280) =============================================== Ben Laurie of Google's Applied Security team, while working with an external researcher, Dr. Richard Clayton of the Computer Laboratory, Cambridge University, found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs.
This affects any web site and service provider of various natures. It's not exclusive for OpenID nor for any other protocol / standard / service! It may affect an OpenID provider if it uses a compromised key in combination with unpatched DNS servers. I don't understand why OpenID is singled out, since it can potentially affect any web site including Google's various services (if Google would have used Debian systems to create their private keys).
Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom () startcom org <xmpp:startcom () startcom org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)