Full Disclosure mailing list archives

Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg () startcom org>
Date: Fri, 08 Aug 2008 22:27:13 +0300

Ben Laurie:

On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg () startcom org>  wrote:

This affects any web site and service provider of various natures. It's not
exclusive for OpenID nor for any other protocol / standard / service! It may
affect an OpenID provider if it uses a compromised key in combination with
unpatched DNS servers. I don't understand why OpenID is singled out, since
it can potentially affect any web site including Google's various services
(if Google would have used Debian systems to create their private keys).


OpenID is "singled out" because I am not talking about a potential
problem but an actual problem.

Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc)which makes use of a compromised key has an actual problem and not *a*potential problem. Open ID as a standard isn't more affected than, letssay XMPP...If there are servers and providers relying on such keys thehave a real actual problem. I don't see your point about Open ID nordidn't I see anything new....

The problem of weak keys should be dealt at the CA level, many whichhave failed to do anything serious about it.

We have spotted other actual problems in other services. Details will
be forthcoming at appropriate times.

I think it's superfluous to single out different services since anyservice making use of the weak keys is affected, with recent discoveryof DNS poisoning making the matter worse. I suggest you try a forumwhich can potentially reach many CAs, they in fact have everything attheir disposal to remove this threat!



Regards
Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         startcom () startcom org <xmpp:startcom () startcom org>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:  +1.213.341.0390

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
  - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
  - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Paul Hoffman (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)

(Thread continues...)