|
Nmap Development
mailing list archives
Re: [NSE]
From: bensonk () acm wwu edu
Date: Mon, 12 Jan 2009 10:46:39 -0800
It sounds like a good idea, can't be too hard. I would like to point
out that the vulnerability was oversimplified in the media. From what I
have read, it requires that the cert was produced with "poor quality"
entropy. Ben Laurie (of the OpenSSL team) posted a couple[1] of items[2]
on his blog about this. In the comments of those posts, particularly
the second one, there is some more information[3] about the attack.
There's also a link to another blog post which describes exactly how[4] MD5
sigs can be made safe.
Benson
[1] http://www.links.org/?p=477
[2] http://www.links.org/?p=480
[3] http://www.links.org/?p=480#comment-274106
[4] http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html
On Mon, Jan 12, 2009 at 11:28:07AM -0600, MadHat Unspecific wrote:
Anyone working on a script to detect MD5 signed SSL certs?
--
MadHat (at) Unspecific.com
"The true man wants two things: danger and play.
For that reason he wants woman, as the most dangerous plaything."
- Friedrich Nietzsche
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Attachment:
_bin
Description:
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
- [NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
| 
Intro
