Perry E. Metzger writes:
All major browsers already trust CAs that have virtually no security to
speak of,
...and trust any of those CAs on any (TCP) connection in the (web app)
session. Even if your first connection was authenticated by the right CA,
the second one may not be. Zusmann and
Paul Tiemann writes:
Since this is a certificate we (DigiCert) have issued, I'm trying to
understand if there is a vulnerability here that's more apparent to others
than to me,
If an attacker can steal the cert by any means, perhaps by means particular
to one of the hosted sites, he can now
Paul Tiemann paul.tiemann.use...@gmail.com writes:
[...]
This is kind of a long message to reply to so I'll just post a meta-reply to
avoid getting bogged down in nitpicking, the message, as the subject line
indicated, was intended to start a discussion on some of the weaknesses
inherent in the
Ian G i...@iang.org writes:
** But talking about TLS/SNI to SSL suppliers is like talking about the
lifeboats on the Titanic ... we don't need it because SSL is unsinkable.
... or talking to PKI standards groups about adding a CRL reason code for
certificate issued in error (e.g. to an
Hi,
Eckersley's and Burns' presentation at Defcon (coming right up) will present
their findings from a global survey of certs presented by hosts listening on
port 443. Their results are disturbing.
Have these results already been published somewhere, or do you maybe
even have a URL?
Ralph
On 07/27/2010 10:11 AM, Peter Gutmann wrote:
So a general response to the several well, what would you do? questions is
I'm not sure, that's why I posted this to the list. For example should an
SSL cert be held to higher standards than the server it's hosted on? In other
words if it's easier
On 07/27/2010 11:04 AM, Anne Lynn Wheeler wrote:
long ago and far away. they had also invented this technology
called SSL that they wanted to use. As part of applying the
technology to the business payment process ... we also had to go
around and investigate how some of these
On 07/27/2010 12:09 PM, Pat Farrell wrote:
Most of which we avoided by skipping the cert concept. Still, better
technology has nothing to do with business success.
Public Key Crypto with out all the cruft of PKI. Its still a good
idea.
that became apparent in the use of SSL between all the
Ralph Holz writes:
Eckersley's and Burns' presentation at Defcon (coming right up) will
present their findings from a global survey of certs presented by hosts
listening on port 443. Their results are disturbing.
Have these results already been published somewhere, or do you maybe even
On 07/27/2010 12:09 PM, Pat Farrell wrote:
In that same time, I was at CyberCash, we invented what is now
sometimes called electronic commerce. and that and $5 will get
you a cup of coffee. We predated SSL by a few years. Used RSA768 to
protect DES sessions, etc. Usual stuff.
somewhat as
Sampo Syreeni writes:
I am not sure what quantitative measurement of vulnerability would even
mean. What units would said quantity be measured in?
I'm not sure either. This is just a gut feeling.
See also:
http://nvd.nist.gov/cvsseq2.htm
On Tue, 27 Jul 2010 11:11:52 -0700 Chris Palmer
ch...@noncombatant.org wrote:
Sampo Syreeni writes:
I am not sure what quantitative measurement of vulnerability
would even mean. What units would said quantity be measured in?
I'm not sure either. This is just a gut feeling.
See also:
Perry E. Metzger writes:
Unless you can perform an experiment to falsify the self-declared
objective quantitative security measurement, it isn't science. I can't
think of an experiment to test whether any of the coefficients in the
displayed calculation is correct. I don't even know what
False metrics are rampant in the security industry. We really need
to do something about them. I propose that we make fun of them.
You might consider joining us in D.C. on 10 August at
http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon5.0
--dan, program committee
On 27/07/2010 15:11, Peter Gutmann wrote:
The intent with posting it to the list was to get input from a collection of
crypto-savvy people on what could be done. The issue had previously been
discussed on a (very small) private list, and one of the members suggested I
post it to the
On 24/07/2010 18:55, Peter Gutmann wrote:
- PKI dogma doesn't even consider availability issues but expects the
straightforward execution of the condition problem - revoke cert. For a
situation like this, particularly if the cert was used to sign 64-bit
drivers, I wouldn't have revoked
On Tue, Jul 27, 2010 at 09:54:51PM +0100, Ben Laurie wrote:
On 27/07/2010 15:11, Peter Gutmann wrote:
The intent with posting it to the list was to get input from a collection of
crypto-savvy people on what could be done. The issue had previously been
discussed on a (very small) private
On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote:
On 24/07/2010 18:55, Peter Gutmann wrote:
- PKI dogma doesn't even consider availability issues but expects the
straightforward execution of the condition problem - revoke cert. For a
situation like this, particularly if the cert was used to
On Jul 27, 2010, at 1:14 PM, d...@geer.org wrote:
False metrics are rampant in the security industry. We really need
to do something about them. I propose that we make fun of them.
You might consider joining us in D.C. on 10 August at
Haven't we already decided what to do: SNI?
But isn't that the problem, that SNI had to be added therefore it isn't
everywhere therefore site operators don't trust its presence therefore
SNI is irrelevant?
It appears Apache supports SNI as of 2.2.12 which was released 12 months ago.
Do we
** But talking about TLS/SNI to SSL suppliers is like talking about the
lifeboats on the Titanic ... we don't need it because SSL is unsinkable.
Apache support for this came out 12 months ago. Does any one know of
statistics that show what percentage of installed Apache servers out there are
On Tue, Jul 27, 2010 at 06:07:02PM -0600, Paul Tiemann wrote:
IE6-is-dead parties. Could some intelligent web designers come up
with a few snippets of code in the various web flavors (PHP, ASP,
JSP, etc) for people to easily install and include on their sites
(as part of a movement to
On Tue, Jul 27, 2010 at 06:30:51PM -0600, Paul Tiemann wrote:
** But talking about TLS/SNI to SSL suppliers is like talking about the
lifeboats on the Titanic ... we don't need it because SSL is unsinkable.
Apache support for this came out 12 months ago. Does any one know of
statistics
Hi Peter,
I actually
agree with a lot of the points made in the response, since this wasn't a
failing of Edgecast or a CA but a problem in the way SSL's PKI (or more
generally just PKI as a whole) works.
Yes. SNI could have been included from the start, but it was probably hard
enough
On 2010-07-28, Peter Gutmann wrote:
... or talking to PKI standards groups about adding a CRL reason code
for certificate issued in error (e.g. to an imposter). This was
turned down because CA's never make mistakes, so there's no need to
have such a reason code.
Personally what I wonder
25 matches
Mail list logo