[security] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Aug 8 11:44:56 UTC 2008
Ben Laurie:
> Security Advisory (08-AUG-2008) (CVE-2008-3280)
> ===============================================
>
> Ben Laurie of Google's Applied Security team, while working with an
> external researcher, Dr. Richard Clayton of the Computer Laboratory,
> Cambridge University, found that various OpenID Providers (OPs) had
> TLS Server Certificates that used weak keys, as a result of the Debian
> Predictable Random Number Generator (CVE-2008-0166).
>
> In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
> the fact that almost all SSL/TLS implementations do not consult CRLs
> (currently an untracked issue), this means that it is impossible to
> rely on these OPs.
>
This affects any web site and service provider of various natures. It's
not exclusive for OpenID nor for any other protocol / standard /
service! It may affect an OpenID provider if it uses a compromised key
in combination with unpatched DNS servers. I don't understand why OpenID
is singled out, since it can potentially affect any web site including
Google's various services (if Google would have used Debian systems to
create their private keys).
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20080808/04be3525/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7327 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20080808/04be3525/attachment-0002.bin>
More information about the security
mailing list