Could you elaborate an attack scenario that depends on root certificate signature?
The job of security scanner is not to point at any shit, it is to point at dangerous shit. On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote: > jesus add a override and you are done > > MD5/SHA1 certificates are shit and it's th ejob of a security scanner to > point that out - for anything which you don't want to see local > overrides are the way to go > > Am 07.04.2018 um 18:32 schrieb Alex Smirnoff: > > Huh? > > > > It is relevant. But it is irrelevant for anything that is self-signed. > > Isn't it obvious? > > > > On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote: > >> > >> > >> Am 29.03.2018 um 20:29 schrieb Alex Smirnoff: > >>> Could you elaborate, exactly how weak hash could matter for self-signed > >>> certificate? Without vague references like "if you don't want to trust > >>> the NSA and NIST". I do not see any of those organisations stating that > >>> weak hash is dangerous for a situation where signature itself is > >>> irrelevant > >> > >> if the signature is irrelevant why do you use https at all? > >> WTF! > >> > >> there is no technical difference between your self-signed stuff or > >> certificates signed by a public CA except that you *one time* need to make > >> an exception in the client > > _______________________________________________ > Openvas-discuss mailing list > Openvasemail@example.com > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss _______________________________________________ Openvas-discuss mailing list Openvasfirstname.lastname@example.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss