I dare to say any "external security audit" which considers that being a
problem is pefromed by morons that should be replaced ASAP.

No, I won't get fired, for sure. And I won't work for any employer where
I could get fired for standing my point.

On Tue, Apr 10, 2018 at 05:16:43PM +0200, Reindl Harald wrote:
> 
> 
> Am 10.04.2018 um 17:12 schrieb Alex Smirnoff:
> > Could you elaborate an attack scenario that depends on root certificate
> > signature?
> > 
> > The job of security scanner is not to point at any shit, it is to point
> > at dangerous shit.
> 
> it's job is to point out shit which would lead to not survive a external
> security audit where you get simply fired when you argue like that so
> that you can fix your crap before
> 
> in the time you are complaining here instead make the needed overrides
> you could have replaced your crap all over the infrastructure easily
> 
> and if it's not doable in that time your infrastructure is crap because
> nobody gave a shit thinking about automated certificate replacement /
> deplyoment
> 
> > On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote:
> >> jesus add a override and you are done
> >>
> >> MD5/SHA1 certificates are shit and it's th ejob of a security scanner to
> >> point that out - for anything which you don't want to see local
> >> overrides are the way to go
> >>
> >> Am 07.04.2018 um 18:32 schrieb Alex Smirnoff:
> >>> Huh?
> >>>
> >>> It is relevant. But it is irrelevant for anything that is self-signed.
> >>> Isn't it obvious?
> >>>
> >>> On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote:
> >>>>
> >>>>
> >>>> Am 29.03.2018 um 20:29 schrieb Alex Smirnoff:
> >>>>> Could you elaborate, exactly how weak hash could matter for self-signed
> >>>>> certificate? Without vague references like "if you don't want to trust
> >>>>> the NSA and NIST". I do not see any of those organisations stating that
> >>>>> weak hash is dangerous for a situation where signature itself is
> >>>>> irrelevant
> >>>>
> >>>> if the signature is irrelevant why do you use https at all?
> >>>> WTF!
> >>>>
> >>>> there is no technical difference between your self-signed stuff or
> >>>> certificates signed by a public CA except that you *one time* need to 
> >>>> make
> >>>> an exception in the client
> _______________________________________________
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to