full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] OpenID/Debian PRNG/DNS

Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Leichter, Jerry <leichter_jerrold_at_nospam>
Date: Fri Aug 08 2008 - 17:04:16 GMT
To: Dave Korn <dave.korn@artimi.com>

On Fri, 8 Aug 2008, Dave Korn wrote:
| > Isn't this a good argument for blacklisting the keys on the client
| > side?
| Isn't that exactly what "Browsers must check CRLs" means in this
| context anyway? What alternative client-side blacklisting mechanism
| do you suggest?

Since the list of bad keys is known and fairly short, one could explicitly check for them in the browser code, without reference to any external CRL.

Of course, the browser itself may not see the bad key - it may see key for something that *contains* a bad key. So such a check would not be complete. Still, it couldn't hurt.

One could put similar checks everywhere that keys are used. Think of it as the modern version of code that checks for and rejects DES weak and semi-weak keys. The more code out there that does the check, the faster bad keys will be driven out of use.

  • Jerry

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/