Full Disclosure mailing list archives
Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange
From: Alexander Klink <a.klink () cynops de>
Date: Mon, 26 May 2008 15:56:49 +0200
That is indeed a problem. AFAIK IE 7 on Vista now does some CRLcheckingby default, but I haven't tried it yet.I did some research on this recently, and the story for browser support is actually much more complicated. In addition to CRLs there is a
It is even a bit more complicated - CRL checking can mean two different things: 1. check manually downloaded and installed CRLs, which is what Firefox 1 and 2 will do if you install one. This is different from 2. download CRLs automatically from the "CRL Distribution Point" (CDP), which may be contained in the certificate and check the CRL afterwards. Firefox 1 or 2 won't do this for you. So for a typical user, this
* Firefox 1 and 2 support both OCSP and CRL, but default to using CRL.
boils down to: they do not do any revocation checking. Cheers, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink () cynops de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 24)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Larry Seltzer (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Alexander Klink (May 26)
- Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 26)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)