Re: On the topic of SSL and MD5 (was Re: [NSE])

[MadHat Unspecific <madhat () unspecific com>]

Brandon Enright wrote:
> On Mon, 12 Jan 2009 10:46:39 -0800
> bensonk () acm wwu edu wrote:
>
> ...snip...
>
> > There's also a link to another blog
> > post which describes exactly how[4] MD5 sigs can be made safe.  
<snip>

> The best solution is to remove all CA certs that sign with MD5 from
> your browser trust.  It is naive to think in a MitM scenario your Nmap
> scanner is going to scan and detect a cert signed using MD5 *before*
> the attack starts.

Not what anyone was thinking, as far as I know.  Once again, the idea of
the scan to detect an MD5 signature was not to prevent anything bad from
happening, but to manage expectation of management.  The issue has been
in the news and they don't understand the full technical details.  If it
makes management feel better to know we do not use any SSL certs signed
using md5, then verify for me that we don't use any certs signed with
md5.  I don't care if it actually helps or not, it makes management
happy and guess who signs *MY* check?

Also, this is not MY place of business that is having the issue.  This
is an issue being experienced by friends in the industry.  I was merely
looking for a way to help them verify if they had any certs that fell
into the "concerning" category.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


-- 
MadHat (at) Unspecific.com
"The true man wants two things: danger and play.
 For that reason he wants woman, as the most dangerous plaything."
                          - Friedrich Nietzsche

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org