[security] SL comprimise
Ben Laurie
benl at google.com
Fri Mar 25 10:29:23 UTC 2011
On 24 March 2011 17:19, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The obvious vulnerability would be an attacker that knew some number of
> openId at a given RP, by spoofing DNS and SSL they could cain access to
> those accounts by setting up a Rogue IdP with the fraudulent SSL cert.
> This requires a DNS or routing venerability at the RP to be successful.
Or a man-in-the-middle.
> Not an easy attack.
Rather depends who you are :-) Pretty easy for ISPs, for example.
> However no attack is good.
> For the FICAM openID profile we required OCSP or CRL checking for RP to
> mitigate this risk.
> John B.
> On 2011-03-24, at 1:08 PM, Mike Hanson wrote:
>
> Thanks for the clarification, Phillip.
> m
> On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:
>
> No login servers were affected.
> Several domains on which the servers are deployed were affected but not the
> login servers.
>
>
> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <mhanson at mozilla.com> wrote:
>>
>> Comodo has posted a detail incident report here:
>> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
>>
>> Several login servers were affected.
>>
>> -MH
>>
>>
>> On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>>
>> >
>> >
>> >
>> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
>> >
>> > The browser venders blocking those certificates is nice, however there
>> > are attacks on RP that could be done with those certificates that are still
>> > open.
>> >
>> > In testing something like 0% of RP check OCSP or CRL, the libs don't
>> > force openSSL to so those checks (I think DNOA will do them in FICAM mode)
>> >
>> > So perhaps encouraging people to perform those checks would be a good
>> > idea.
>> >
>> > We can only hope that none of the 9 certificates cover openID OP,
>> > otherwise user accounts at RP could theoretically be compromised.
>> >
>> > John B.
>> >
>> >
>> > _______________________________________________
>> > security mailing list
>> > security at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-security
>>
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>
>
>
> --
> Website: http://hallambaker.com/
>
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
More information about the security
mailing list