On Sat, Oct 27, 2012 at 8:38 PM, Jeffrey Walton wrote:
> On Wed, Oct 10, 2012 at 1:34 PM,
> wrote:
>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>>
>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>> probably, but would prefer information to the fi
On Wed, Oct 10, 2012 at 1:34 PM,
wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
> probably, but would prefer information to the first point rather than
> its complement.
> --
> http://www.subspa
While more "proper" uses of OpenSSL vs improper, participates of the
discussion might enjoy the following whitepaper and tool release by
iSEC Partners and an Academic look at popular non-browser SSL failures
(bottom):
https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-va
On Wed, Oct 10, 2012 at 1:34 PM,
wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
> probably, but would prefer information to the first point rather than
> its complement.
> --
> http://www.subspa
Related:
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
On Wed, Oct 10, 2012 at 10:26 PM, <
travis+ml-rbcryptogra...@subspacefield.org> wrote:
> On Wed, Oct 10, 2012 at 08:56:29PM +0100, Patrick Mylund Nielsen wrote:
> > One
* Ryan Sleevi:
> Here's a quick list off the top of my head from having poked around
> various languages' bindings (Python, Perl, PHP, etc), from having seen
> various "rebranded" OpenSSL-using products, and from various "I just want
> to do HTTPS"
Here's another one I came across: do not use the
Patrick Mylund Nielsen writes:
>Guess what his optimization was. Yup, he tried every combination of things in
>SSLCipherSuite and simply chose the one with the lest CPU...
I've run into similar things, I've had (potential) users of my software reject
it because it didn't support the NULL_WITH_NU
One I've seen in deployed code with Java crypto but might
also happen with openssl is use of PBKDF when the secret is
only used locally (e.g. to MAC/encrypt a cookie) and doesn't
even need to be a user memorable string. That's a great way
to consume CPU uselessly and was probably caused because
th
On Wed, October 10, 2012 10:34 am,
travis+ml-rbcryptogra...@subspacefield.org wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
> probably, but would prefer information to the first point rather
On Wed, Oct 10, 2012 at 08:56:29PM +0100, Patrick Mylund Nielsen wrote:
> One thing that I've sadly seen more times than I can shake a stick at
> is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in
> their cipher suite list.
I should point out, I meant from a source code and not an
On Oct 10, 2012, at 3:56 PM, Patrick Mylund Nielsen
wrote:
> One thing that I've sadly seen more times than I can shake a stick at
> is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in
> their cipher suite list.
So, a number of years ago (~1999) I worked for a registrar.
We had
Hah. I'm surprised the term "security theater" wasn't coined earlier!
On Wed, Oct 10, 2012 at 9:29 PM, Warren Kumari wrote:
>
> On Oct 10, 2012, at 3:56 PM, Patrick Mylund Nielsen
> wrote:
>
>> One thing that I've sadly seen more times than I can shake a stick at
>> is people leaving in aNULL/e
One thing that I've sadly seen more times than I can shake a stick at
is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in
their cipher suite list.
On Wed, Oct 10, 2012 at 6:34 PM,
wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-eng
On Wed, Oct 10, 2012 at 6:34 PM,
wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
> probably, but would prefer information to the first point rather than
> its complement.
I'd like to hear about
I want to find common improper usages of OpenSSL library for SSL/TLS.
Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
probably, but would prefer information to the first point rather than
its complement.
--
http://www.subspacefield.org/~travis/
Any sufficiently advanced magic
15 matches
Mail list logo