Nmap Development mailing list archives
Re: [NSE]
From: MadHat Unspecific <madhat () unspecific com>
Date: Mon, 12 Jan 2009 12:51:40 -0600
bensonk () acm wwu edu wrote:
It sounds like a good idea, can't be too hard. I would like to point out that the vulnerability was oversimplified in the media. From what I have read, it requires that the cert was produced with "poor quality" entropy. Ben Laurie (of the OpenSSL team) posted a couple[1] of items[2] on his blog about this. In the comments of those posts, particularly the second one, there is some more information[3] about the attack. There's also a link to another blog post which describes exactly how[4] MD5 sigs can be made safe.
I appreciate all the info. I know the media over simplified, but management does not get the technical details behind it and I have heard from several people they have been tasked with verifying all their SSL certs are valid and do not use MD5. It is more about perception than reality. Just being able to verify would be nice.
Benson [1] http://www.links.org/?p=477 [2] http://www.links.org/?p=480 [3] http://www.links.org/?p=480#comment-274106 [4] http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html On Mon, Jan 12, 2009 at 11:28:07AM -0600, MadHat Unspecific wrote:Anyone working on a script to detect MD5 signed SSL certs? -- MadHat (at) Unspecific.com "The true man wants two things: danger and play. For that reason he wants woman, as the most dangerous plaything." - Friedrich Nietzsche _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org ------------------------------------------------------------------------ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
-- MadHat (at) Unspecific.com "The true man wants two things: danger and play. For that reason he wants woman, as the most dangerous plaything." - Friedrich Nietzsche _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
- Re: [NSE] MadHat Unspecific (Jan 12)
- On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: [NSE] bensonk (Jan 12)