[security] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Aug 8 19:27:13 UTC 2008
Ben Laurie:
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg at startcom.org> wrote:
>
>> This affects any web site and service provider of various natures. It's not
>> exclusive for OpenID nor for any other protocol / standard / service! It may
>> affect an OpenID provider if it uses a compromised key in combination with
>> unpatched DNS servers. I don't understand why OpenID is singled out, since
>> it can potentially affect any web site including Google's various services
>> (if Google would have used Debian systems to create their private keys).
>>
>
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>
Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc)
which makes use of a compromised key has an actual problem and not *a*
potential problem. Open ID as a standard isn't more affected than, lets
say XMPP...If there are servers and providers relying on such keys the
have a real actual problem. I don't see your point about Open ID nor
didn't I see anything new....
The problem of weak keys should be dealt at the CA level, many which
have failed to do anything serious about it.
> We have spotted other actual problems in other services. Details will
> be forthcoming at appropriate times.
>
I think it's superfluous to single out different services since any
service making use of the weak keys is affected, with recent discovery
of DNS poisoning making the matter worse. I suggest you try a forum
which can potentially reach many CAs, they in fact have everything at
their disposal to remove this threat!
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20080808/8cc69f3e/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7327 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20080808/8cc69f3e/attachment-0002.bin>
More information about the security
mailing list