Re: SHA1 collisions proven possisble

2017-02-26 Thread Eitan Adler 
On 26 February 2017 at 22:15, Patrick W. Gilmore <patr...@ianai.net> wrote:
> Composed on a virtual keyboard, please forgive typos.
>
> On Feb 26, 2017, at 21:16, Matt Palmer <mpal...@hezmatt.org> wrote:
>>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
>>>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>>>> I repeat something I've said a couple times in this thread: If I can
>>>> somehow create two docs with the same hash, and somehow con someone
>>>> into using one of them, chances are there are bigger problems than a
>>>> SHA1 hash collision.
>>>>
>>>> If you assume I could somehow get Verisign to use a cert I created to
>>>> match another cert with the same hash, why in the hell would that
>>>> matter?  I HAVE THE ONE VERISIGN IS USING.  Game over.
>>>>
>>>> Valdis came up with a possible use of such documents. While I do not
>>>> think there is zero utility in those instances, they are pretty small
>>>> vectors compared to, say, having a root cert at a major CA.
>>>
>>> I want a google.com cert.  I ask a CA to sign my fake google.com
>>> certificate.  They decline, because I can't prove I control google.com.
>>
>> Even better: I want a CA cert.  I convince a CA to issue me a regular,
>> end-entity cert for `example.com` (which I control) in such a way that I can
>> generate another cert with the same SHA1 hash, but which has `CA:TRUE` for
>> the Basic Constraints extension.
>>
>> Wham!  I can now generate certs for *EVERYONE*.  At least until someone
>> notices and takes away my shiny new toy...
>
> Since I have said this somewhere on the order of half a dozen times, I will 
> assume I am missing something obvious and all of you are doing it right.
>
> So let me ask you: The attack creates two docs. You do not know the hash 
> before the attack starts. You cannot take an existing file with a known hash 
> and create a second file which matches the known hash. You start with 
> nothing, run the "attack", and get two NEW docs that have the same hash. A 
> hash which is brand new.
>
> Now, please explain how you take a cert with one hash and somehow use this 
> attack, which creates two new docs with a new hash, to do, well, anything?

1. Create a certificate C[ert] for a single domain you control with hash h(c).
2. Create a second certificate A[ttack] marked as a certificate
authority such that h(C) = h(A).
3. Have a certificate authority sign cert C
4. Present the signature for A along with A for whatever nefarious
purpose you want.

See a similar version of this attack here using MD5 chosen-prefix
collision attack: https://www.win.tue.nl/hashclash/rogue-ca/



-- 
Eitan Adler

Re: Dyn DDoS this AM?

2016-10-24 Thread Eitan Adler 
On 24 October 2016 at 01:25, LHC <large.hadron.colli...@gmx.com> wrote:
> All this TTL talk makes me think.
>
> Why not have two ttls - a 'must-recheck' (does not expire the record but 
> forces a recheck; updates record if server replies & serial has incremented) 
> and a 'must-delete' (cache will be stale at this point)?

If clients can't get one TTL correct what makes you think they will
get a more complicated two TTL system correct?


-- 
Eitan Adler

Re: Dyn DDoS this AM?

2016-10-21 Thread Eitan Adler 
On 21 October 2016 at 18:12, Jean-Francois Mezei
<jfmezei_na...@vaxination.ca> wrote:
> On 2016-10-21 18:45, david raistrick wrote:
>
>> switch too..).   setting TTLs that make sense for a design that supports
>> change is also easy.
>
> Cuts both ways. Had Twitter had TTLs of say 7 days, vast majority
> wouldn't notice an outage of a few hours because their local cache wa
> still valid.

In practice TTLs tend to be ignored on the public internet. In past
research I've been involved with browser[0] behavior was effectively
random despite the TTL set.

[0] more specifically, the chain of DNS resolution and caching down to
the browser.


-- 
Eitan Adler

Re: Stop IPv6 Google traffic

2016-04-11 Thread Eitan Adler 
On 10 April 2016 at 12:33,  <b...@theworld.com> wrote:
> Who cares what his motivations are unless he asks for help with that
> underlying problem?

See Also: http://xyproblem.info/


-- 
Eitan Adler

Re: Automated alarm notification

2016-02-16 Thread Eitan Adler 
On 11 February 2016 at 13:51, Frank Bulk <frnk...@iname.com> wrote:
> Is anyone aware of software, or perhaps a service, that will take SNMP
> traps, properly parse them, and perform the appropriate call outs based on
> certain content, after waiting 5 or 10 minutes for any alarms that don't
> clear?
>
> I looked at PagerDuty, but they don't do any SNMP trap parsing, and nothing
> with set/clear.

https://github.com/dropbox/trapperkeeper ?



-- 
Eitan Adler

Re: Alleged backdoor in OpenBSD's IPSEC implementation.

2010-12-15 Thread Eitan Adler 
 See Ken Thompson's classic paper Reflections on trusting trust,

Also see David A Wheeler's Countering Trusting Trust through Diverse
Double-Compiling
-- 
Eitan Adler