full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] [OpenID] OpenID/Debian

Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Eddy Nigg (StartCom Ltd.) <eddy_nigg_at_nospam>
Date: Fri Aug 08 2008 - 19:27:13 GMT
To: Ben Laurie <benl@google.com>

Ben Laurie:
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg@startcom.org> wrote:
>> This affects any web site and service provider of various natures. It's not
>> exclusive for OpenID nor for any other protocol / standard / service! It may
>> affect an OpenID provider if it uses a compromised key in combination with
>> unpatched DNS servers. I don't understand why OpenID is singled out, since
>> it can potentially affect any web site including Google's various services
>> (if Google would have used Debian systems to create their private keys).
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.

Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc) which makes use of a compromised key has an actual problem and not *a* potential problem. Open ID as a standard isn't more affected than, lets say XMPP...If there are servers and providers relying on such keys the have a real actual problem. I don't see your point about Open ID nor didn't I see anything new....

The problem of weak keys should be dealt at the CA level, many which have failed to do anything serious about it.

> We have spotted other actual problems in other services. Details will
> be forthcoming at appropriate times.

I think it's superfluous to single out different services since any service making use of the weak keys is affected, with recent discovery of DNS poisoning making the matter worse. I suggest you try a forum which can potentially reach many CAs, they in fact have everything at their disposal to remove this threat!

Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom@startcom.org <xmpp:startcom@startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390

_______________________________________________ Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/