Full Disclosure mailing list archives
Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
From: "Ben Laurie" <benl () google com>
Date: Fri, 8 Aug 2008 20:41:01 +0100
On Fri, Aug 8, 2008 at 8:27 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg () startcom org> wrote:
Ben Laurie: On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg () startcom org> wrote: This affects any web site and service provider of various natures. It's not exclusive for OpenID nor for any other protocol / standard / service! It may affect an OpenID provider if it uses a compromised key in combination with unpatched DNS servers. I don't understand why OpenID is singled out, since it can potentially affect any web site including Google's various services (if Google would have used Debian systems to create their private keys). OpenID is "singled out" because I am not talking about a potential problem but an actual problem. Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc) which makes use of a compromised key has an actual problem and not a potential problem. Open ID as a standard isn't more affected than, lets say XMPP...If there are servers and providers relying on such keys the have a real actual problem.
I do not dispute this.
I don't see your point about Open ID nor didn't I see anything new....
The point is I found OpenID servers with weak keys.
The problem of weak keys should be dealt at the CA level, many which have failed to do anything serious about it.
Indeed.
We have spotted other actual problems in other services. Details will be forthcoming at appropriate times. I think it's superfluous to single out different services since any service making use of the weak keys is affected, with recent discovery of DNS poisoning making the matter worse. I suggest you try a forum which can potentially reach many CAs, they in fact have everything at their disposal to remove this threat!
If you have a better forum, bring it on. However, CAs do not have everything at their disposal to remove the threat. Browsers,OpenID libraries and RPs must also participate. Just as saying "buffer overflows are bad" has not magically caused all buffer overflows to be fixed, I am confident that the only way to get this problem fixed is to chase down all the culprits individually. I am sure that OpenID is not the only thing with problems, as you say. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Paul Hoffman (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)