[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Jim Cheetham
jim at inode.co.nz
Tue Aug 12 04:58:57 UTC 2008
Ben Laurie:
> Security Advisory (08-AUG-2008) (CVE-2008-3280)
> ...
> Affected Sites
> --------------
> openid.net.nz
On behalf of openid.net.nz (as I am "just" a service supplier to the
company), I can confirm that the weak/compromised SSL certificate used
by openid.net.nz has been replaced by a strong certificate. Apologies
for the delay here, it has as usual co-incided with important people
being off the net for extended periods of time (aka "holiday").
However, given that openid.net.nz uses a self-signed certificate, the
threat mechanism suggested by Ben probably does not materially change
the "security level" of this service, which is not high.
Most of his points are around the types of authentication implicitly
and explicitly accepted/used by the OpenID implementations around the
net, and I can't address them from here, but if anyone has any
specific recommendation I'll be pleased to hear them :-)
-jim
http://inode.co.nz/
More information about the general
mailing list