Nmap Development mailing list archives
Re: [NSE]
From: bensonk () acm wwu edu
Date: Mon, 12 Jan 2009 10:46:39 -0800
It sounds like a good idea, can't be too hard. I would like to point out that the vulnerability was oversimplified in the media. From what I have read, it requires that the cert was produced with "poor quality" entropy. Ben Laurie (of the OpenSSL team) posted a couple[1] of items[2] on his blog about this. In the comments of those posts, particularly the second one, there is some more information[3] about the attack. There's also a link to another blog post which describes exactly how[4] MD5 sigs can be made safe. Benson [1] http://www.links.org/?p=477 [2] http://www.links.org/?p=480 [3] http://www.links.org/?p=480#comment-274106 [4] http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html On Mon, Jan 12, 2009 at 11:28:07AM -0600, MadHat Unspecific wrote:
Anyone working on a script to detect MD5 signed SSL certs? -- MadHat (at) Unspecific.com "The true man wants two things: danger and play. For that reason he wants woman, as the most dangerous plaything." - Friedrich Nietzsche _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
- Re: [NSE] MadHat Unspecific (Jan 12)
- On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: [NSE] bensonk (Jan 12)