Well, actually it is a NASL script "bug". I put the word "bug" in quotes because some people would argue that it is intended behavior, but still:
The proper check should be "if the certificate is self-signed, then weak hash is either non-issue or low criticality bug depending on your settings". But almost all security scanners behave the same way OpenVAS does, making no difference between self-signed ceritificates (which include all root certificates de facto) and regular ones. BTW, "regular" (non-root) self-signed certs may pose some threat in this context, because the certificate check is implementation dependant: if you put the whole public key into trusted repository, then it is probably ok. But if you just whitelist the signature, then it could be spoofed if the hash is weak. For root certificates you always have the whole certificate including the public key in the local store, so it cannot be spoofed. On Wed, Apr 11, 2018 at 03:50:35PM +0200, Reindl Harald wrote: > > Am 11.04.2018 um 15:21 schrieb Alex Smirnoff: > > On Tue, Apr 10, 2018 at 10:16:39PM +0200, Reindl Harald wrote: > >> what the hell are you argue here? > > > > Show. Me. A. Real. Attack. Scenario. Where. It. Matters. > > > > Then I would fix. "Because OpenVAS does not like it" may be good enough > > reason if a person who does the scans asks politely. But only in that > > case > > well, and others instead make a drama are happy that it get pointed out > and they have 2 options: > > * override and ignore it > * fix it and be done > > in the whole time you write responses how smart you are you could have > done both multiple times > > "Man, I work in information security for fscking 30 years. I got my > first CSO job at 1996. And i spent significant share of those years > kicking checklist moron's asses. It is that simple!" is completly > irrelevant because in the time i argue and kick ass i can solve the > problem and be done - it is that simple > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
