Re: [Openvas-discuss] Private or Corporate CAs

2018-04-11 Thread Alex Smirnoff
Well, actually it is a NASL script "bug". I put the word "bug" in quotes because some people would argue that it is intended behavior, but still: The proper check should be "if the certificate is self-signed, then weak hash is either non-issue or low criticality bug depending on your settings".

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-11 Thread Reindl Harald
Am 11.04.2018 um 15:21 schrieb Alex Smirnoff: > On Tue, Apr 10, 2018 at 10:16:39PM +0200, Reindl Harald wrote: >> what the hell are you argue here? > > Show. Me. A. Real. Attack. Scenario. Where. It. Matters. > > Then I would fix. "Because OpenVAS does not like it" may be good enough > reason

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-11 Thread Alex Smirnoff
On Tue, Apr 10, 2018 at 10:16:39PM +0200, Reindl Harald wrote: > > > Am 10.04.2018 um 19:39 schrieb Alex Smirnoff: > > I dare to say any "external security audit" which considers that being a > > problem is pefromed by morons that should be replaced ASAP. > > you have no idea from the real

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-10 Thread Christian Kuersteiner
Guys, Please watch your language. This is an open discussion list and it makes your arguments moot if you turn it into a swearing contest. If you can't add something in a meaningful tone then best keep it to yourself. This list should be a place to find insights, help, solutions, ideas etc.

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-10 Thread Reindl Harald
Am 10.04.2018 um 19:39 schrieb Alex Smirnoff: > I dare to say any "external security audit" which considers that being a > problem is pefromed by morons that should be replaced ASAP. you have no idea from the real world external audits are typically ordered by customers and done by independent

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-10 Thread Alex Smirnoff
I dare to say any "external security audit" which considers that being a problem is pefromed by morons that should be replaced ASAP. No, I won't get fired, for sure. And I won't work for any employer where I could get fired for standing my point. On Tue, Apr 10, 2018 at 05:16:43PM +0200, Reindl

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-10 Thread Reindl Harald
Am 10.04.2018 um 17:12 schrieb Alex Smirnoff: > Could you elaborate an attack scenario that depends on root certificate > signature? > > The job of security scanner is not to point at any shit, it is to point > at dangerous shit. it's job is to point out shit which would lead to not survive a

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-10 Thread Alex Smirnoff
Could you elaborate an attack scenario that depends on root certificate signature? The job of security scanner is not to point at any shit, it is to point at dangerous shit. On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote: > jesus add a override and you are done > > MD5/SHA1

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-09 Thread Reindl Harald
jesus add a override and you are done MD5/SHA1 certificates are shit and it's th ejob of a security scanner to point that out - for anything which you don't want to see local overrides are the way to go Am 07.04.2018 um 18:32 schrieb Alex Smirnoff: > Huh? > > It is relevant. But it is

Re: [Openvas-discuss] Private or Corporate CAs

2018-04-07 Thread Alex Smirnoff
Huh? It is relevant. But it is irrelevant for anything that is self-signed. Isn't it obvious? On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote: > > > Am 29.03.2018 um 20:29 schrieb Alex Smirnoff: > > Could you elaborate, exactly how weak hash could matter for self-signed > >

Re: [Openvas-discuss] Private or Corporate CAs

2018-03-29 Thread Reindl Harald
Am 29.03.2018 um 20:29 schrieb Alex Smirnoff: Could you elaborate, exactly how weak hash could matter for self-signed certificate? Without vague references like "if you don't want to trust the NSA and NIST". I do not see any of those organisations stating that weak hash is dangerous for a

Re: [Openvas-discuss] Private or Corporate CAs

2018-03-29 Thread Alex Smirnoff
Could you elaborate, exactly how weak hash could matter for self-signed certificate? Without vague references like "if you don't want to trust the NSA and NIST". I do not see any of those organisations stating that weak hash is dangerous for a situation where signature itself is irrelevant. On

Re: [Openvas-discuss] Private or Corporate CAs

2018-02-16 Thread Christian Fischer
Hi, On 02.02.2018 22:18, Gareth Williams wrote: > I can't add to this list (as far as my understanding > goes) as the file is signed. i think allowing this still makes sense in the scope of Private or Corporate CAs. The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" was updated

Re: [Openvas-discuss] Private or Corporate CAs

2018-02-02 Thread R0b0t1
On Fri, Feb 2, 2018 at 3:18 PM, Gareth Williams wrote: > Hello, > > The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets > confused if a server is using (and presumably sends as part of the TLS > handshake) a Root CA certificate that is signed

[Openvas-discuss] Private or Corporate CAs

2018-02-02 Thread Gareth Williams
Hello, The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets confused if a server is using (and presumably sends as part of the TLS handshake) a Root CA certificate that is signed by a weak algorithm. This check should only be valid for subordinate certificate, that