Full Disclosure mailing list archives
Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 26 May 2008 09:15:22 -0400
No, CRLs don't work. Firefox for example does not check for CRLs (default setting), making certificate revocation senseless. I
assume,
other Browsers don't check CRLs either. And what about the german
That is indeed a problem. AFAIK IE 7 on Vista now does some CRL
checking
by default, but I haven't tried it yet.
I did some research on this recently, and the story for browser support is actually much more complicated. In addition to CRLs there is a protocol called OCSP for checking the status of a specific certificate by serial number. * Internet Explorer 6 and Internet Explorer 7 on Windows XP support CRL checking but default to not using it. * Firefox 1 and 2 support both OCSP and CRL, but default to using CRL. * Internet Explorer 7 on Vista and Firefox 3 support both OCSP and CRL and default to using OCSP. Opera 8.5 and later supports only OCSP and uses it by default. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 24)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Larry Seltzer (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Alexander Klink (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 26)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)