I dare to say any "external security audit" which considers that being a problem is pefromed by morons that should be replaced ASAP.
No, I won't get fired, for sure. And I won't work for any employer where I could get fired for standing my point. On Tue, Apr 10, 2018 at 05:16:43PM +0200, Reindl Harald wrote: > > > Am 10.04.2018 um 17:12 schrieb Alex Smirnoff: > > Could you elaborate an attack scenario that depends on root certificate > > signature? > > > > The job of security scanner is not to point at any shit, it is to point > > at dangerous shit. > > it's job is to point out shit which would lead to not survive a external > security audit where you get simply fired when you argue like that so > that you can fix your crap before > > in the time you are complaining here instead make the needed overrides > you could have replaced your crap all over the infrastructure easily > > and if it's not doable in that time your infrastructure is crap because > nobody gave a shit thinking about automated certificate replacement / > deplyoment > > > On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote: > >> jesus add a override and you are done > >> > >> MD5/SHA1 certificates are shit and it's th ejob of a security scanner to > >> point that out - for anything which you don't want to see local > >> overrides are the way to go > >> > >> Am 07.04.2018 um 18:32 schrieb Alex Smirnoff: > >>> Huh? > >>> > >>> It is relevant. But it is irrelevant for anything that is self-signed. > >>> Isn't it obvious? > >>> > >>> On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote: > >>>> > >>>> > >>>> Am 29.03.2018 um 20:29 schrieb Alex Smirnoff: > >>>>> Could you elaborate, exactly how weak hash could matter for self-signed > >>>>> certificate? Without vague references like "if you don't want to trust > >>>>> the NSA and NIST". I do not see any of those organisations stating that > >>>>> weak hash is dangerous for a situation where signature itself is > >>>>> irrelevant > >>>> > >>>> if the signature is irrelevant why do you use https at all? > >>>> WTF! > >>>> > >>>> there is no technical difference between your self-signed stuff or > >>>> certificates signed by a public CA except that you *one time* need to > >>>> make > >>>> an exception in the client > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
