Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: RE: OpenID/Debian PRNG/DNS Cache poisoning advisory

RE: OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Leichter, Jerry <leichter_jerrold_at_emc.com>
Date: Fri, 8 Aug 2008 13:04:16 -0400 (EDT)

On Fri, 8 Aug 2008, Dave Korn wrote:
| > Isn't this a good argument for blacklisting the keys on the client
| > side?
|
| Isn't that exactly what "Browsers must check CRLs" means in this
| context anyway? What alternative client-side blacklisting mechanism
| do you suggest?
Since the list of bad keys is known and fairly short, one could
explicitly check for them in the browser code, without reference to
any external CRL.

Of course, the browser itself may not see the bad key - it may see key
for something that *contains* a bad key. So such a check would not be
complete. Still, it couldn't hurt.

One could put similar checks everywhere that keys are used. Think of it
as the modern version of code that checks for and rejects DES weak and
semi-weak keys. The more code out there that does the check, the faster
bad keys will be driven out of use.

                                                        -- Jerry
Received on Aug 08 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]