Nmap Development mailing list archives
Re: On the topic of SSL and MD5 (was Re: [NSE])
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 12 Jan 2009 23:11:01 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 12 Jan 2009 14:40:41 -0600 MadHat Unspecific <madhat () unspecific com> wrote:
Brandon Enright wrote:On Mon, 12 Jan 2009 10:46:39 -0800 bensonk () acm wwu edu wrote: ...snip...There's also a link to another blog post which describes exactly how[4] MD5 sigs can be made safe.<snip>The best solution is to remove all CA certs that sign with MD5 from your browser trust. It is naive to think in a MitM scenario your Nmap scanner is going to scan and detect a cert signed using MD5 *before* the attack starts.Not what anyone was thinking, as far as I know. Once again, the idea of the scan to detect an MD5 signature was not to prevent anything bad from happening, but to manage expectation of management. The issue has been in the news and they don't understand the full technical details. If it makes management feel better to know we do not use any SSL certs signed using md5, then verify for me that we don't use any certs signed with md5. I don't care if it actually helps or not, it makes management happy and guess who signs *MY* check? Also, this is not MY place of business that is having the issue. This is an issue being experienced by friends in the industry. I was merely looking for a way to help them verify if they had any certs that fell into the "concerning" category.
Hi MadHat, I apologize if the tone of my previous email came across as rude or short-sided. My intention was not to argue against writing a SSL+MD5 detection NSE script, it was specifically meant to argue against the idea that there is a safe way to use MD5 signatures on SSL certs. As another developer pointed out privately, it would be nice for admins to know that they are handing out MD5 signed certs so that they can be "part of the solution" by replacing their certs. I fully agree with this point. Lets be clear though, we are talking about a script to facilitate /auditing/, not a script that facilitates any real /security/. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklrzhYACgkQqaGPzAsl94IAYACeJsRC3KIEzxZzkswpUs2XszbM ZdEAniRo/iyMmCBsLd6JxtXK1mQyxa1u =fjHh -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
- Re: [NSE] MadHat Unspecific (Jan 12)
- On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: [NSE] bensonk (Jan 12)