|Main Archive Page > Month Archives > full-disclosure-uk archives|
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <email@example.com> wrote:
>> This affects any web site and service provider of various natures. It's not
>> exclusive for OpenID nor for any other protocol / standard / service! It may
>> affect an OpenID provider if it uses a compromised key in combination with
>> unpatched DNS servers. I don't understand why OpenID is singled out, since
>> it can potentially affect any web site including Google's various services
>> (if Google would have used Debian systems to create their private keys).
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc) which makes use of a compromised key has an actual problem and not *a* potential problem. Open ID as a standard isn't more affected than, lets say XMPP...If there are servers and providers relying on such keys the have a real actual problem. I don't see your point about Open ID nor didn't I see anything new....
The problem of weak keys should be dealt at the CA level, many which have failed to do anything serious about it.
> We have spotted other actual problems in other services. Details will
> be forthcoming at appropriate times.
I think it's superfluous to single out different services since any service making use of the weak keys is affected, with recent discovery of DNS poisoning making the matter worse. I suggest you try a forum which can potentially reach many CAs, they in fact have everything at their disposal to remove this threat!
Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: firstname.lastname@example.org <xmpp:email@example.com> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/