|Main Archive Page > Month Archives > full-disclosure-uk archives|
You could use the SSL Blacklist plugin
(http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL Guardian
(http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11 1039/) for IE to do this. If presented with a Debian key the show a warning.
The blacklists are implemented using either a traditional blacklist (text file) or distributed using DNS.
[mailto:firstname.lastname@example.org] On Behalf Of Eric Rescorla Sent: 8. august 2008 17:06
To: Ben Laurie
Cc: email@example.com; firstname.lastname@example.org; OpenID List; email@example.com; firstname.lastname@example.org Subject: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certainly not be checked, this
> means the site will still be vulnerable to attack for the lifetime of
> the certificate (and perhaps beyond, depending on user behaviour).
> Note that shutting down the site DOES NOT prevent the attack.
> Therefore mitigation falls to other parties.
> 1. Browsers must check CRLs by default.
Isn't this a good argument for blacklisting the keys on the client side?