Nmap Development mailing list archives

Re: [NSE]

From: MadHat Unspecific <madhat () unspecific com>
Date: Mon, 12 Jan 2009 12:51:40 -0600

bensonk () acm wwu edu wrote:

It sounds like a good idea, can't be too hard.  I would like to point
out that the vulnerability was oversimplified in the media.  From what I
have read, it requires that the cert was produced with "poor quality"
entropy.  Ben Laurie (of the OpenSSL team) posted a couple[1] of items[2]
on his blog about this.  In the comments of those posts, particularly
the second one, there is some more information[3] about the attack.
There's also a link to another blog post which describes exactly how[4] MD5
sigs can be made safe.


I appreciate all the info.  I know the media over simplified, but
management does not get the technical details behind it and I have heard
from several people they have been tasked with verifying all their SSL
certs are valid and do not use MD5.  It is more about perception than
reality.  Just being able to verify would be nice.


Benson

[1] http://www.links.org/?p=477
[2] http://www.links.org/?p=480
[3] http://www.links.org/?p=480#comment-274106
[4] http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html

On Mon, Jan 12, 2009 at 11:28:07AM -0600, MadHat Unspecific wrote:

Anyone working on a script to detect MD5 signed SSL certs?

-- 
MadHat (at) Unspecific.com
"The true man wants two things: danger and play.
 For that reason he wants woman, as the most dangerous plaything."
                          - Friedrich Nietzsche

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


------------------------------------------------------------------------


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org



-- 
MadHat (at) Unspecific.com
"The true man wants two things: danger and play.
 For that reason he wants woman, as the most dangerous plaything."
                          - Friedrich Nietzsche

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
  - Re: [NSE] MadHat Unspecific (Jan 12)
  - On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)