Bugtraq mailing list archives
Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
From: "Ben Laurie" <benl () google com>
Date: Fri, 8 Aug 2008 15:51:34 +0100
On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg () startcom org> wrote:
This affects any web site and service provider of various natures. It's not exclusive for OpenID nor for any other protocol / standard / service! It may affect an OpenID provider if it uses a compromised key in combination with unpatched DNS servers. I don't understand why OpenID is singled out, since it can potentially affect any web site including Google's various services (if Google would have used Debian systems to create their private keys).
OpenID is "singled out" because I am not talking about a potential problem but an actual problem. We have spotted other actual problems in other services. Details will be forthcoming at appropriate times.
Current thread:
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- <Possible follow-ups>
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Message not available
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Message not available