Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Craig Heffner
-- From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Michal Zalewski
These manufacturers use the same key on each of their models?  That seems ridiculous to me... As a person who had a Siemens AP / router with a hardcoded, hidden management account on it, I find your surprise entertaining ;-) Craig, cool project. /mz

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Thor (Hammer of God)
concern, but it is still interesting. t -Original Message- From: Michal Zalewski [mailto:lcam...@coredump.cx] Sent: Monday, December 20, 2010 8:16 AM To: Thor (Hammer of God) Cc: Craig Heffner; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Default SSL Keys

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread BMF
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote: The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread coderman
On Mon, Dec 20, 2010 at 4:04 PM, BMF badmotherfs...@gmail.com wrote: ... Most of what I have read so far indicates that these secret keys can be used to sniff only administrative traffic to the device itself. right. considering 97.3% of these devices have trivial XSRF, remote access, and other

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Jeffrey Walton
On Mon, Dec 20, 2010 at 7:04 PM, BMF badmotherfs...@gmail.com wrote: On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote: The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public

[Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-19 Thread Craig Heffner
Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware. The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-19 Thread Thor (Hammer of God)
These manufacturers use the same key on each of their models? That seems ridiculous to me... T From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-19 Thread Thor (Hammer of God)
-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Default SSL Keys in Multiple Routers From a security standpoint, it is. But it's easier and probably more cost effective for the manufacturer. Sometimes the key will be different between firmware versions, sometimes it won't. Sometimes