oss-sec mailing list archives
Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 04 Mar 2014 11:01:52 +0000
On 03/04/2014 05:38 AM, cve-assign () mitre org wrote:
- The server can support strong cipher suites, but is misconfigured to select only 40-bit cipher suites. This is a similar situation. If the user must use the server immediately (i.e., he doesn't have time to contact the server operator and ask for a reconfiguration), a 40-bit cipher suite is the right choice.
A misconfigured server might only offer a 40-bit cipher to a peer that offers a 40-bit cipher, but might offer a stronger cipher to a peer that does *not* offer any 40-bit ciphers. arguably, this involves two different misconfigurations (both server and client), but the issue would be mitigated if the client was not offering a weak cipher and claiming it was a successfully secure connection. Here is another situation where konqueror successfully indicates a "secure" connection to a server that has a known-insecure configuration: point konqueror at: https://demo.cmrg.net/ -- you'll see a successful connection, though that server only offers DHE over a trivially-crackable 16-bit group. NSS-based browsers will throw an ssl_error_weak_server_ephemeral_dh_key error and refuse the connection; konqueror claims it is a secure connection. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request?: konqueror - https uses all ciphers, even weak ones Marcus Meissner (Feb 27)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 03)
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Felix Eckhofer (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Moritz Naumann (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Hanno Böck (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 04)