Well, actually it is a NASL script "bug". I put the word "bug" in quotes
because some people would argue that it is intended behavior, but still:
The proper check should be "if the certificate is self-signed, then weak
hash is either non-issue or low criticality bug depending on your
settings". B
Am 11.04.2018 um 15:21 schrieb Alex Smirnoff:
> On Tue, Apr 10, 2018 at 10:16:39PM +0200, Reindl Harald wrote:
>> what the hell are you argue here?
>
> Show. Me. A. Real. Attack. Scenario. Where. It. Matters.
>
> Then I would fix. "Because OpenVAS does not like it" may be good enough
> reason if
On Tue, Apr 10, 2018 at 10:16:39PM +0200, Reindl Harald wrote:
>
>
> Am 10.04.2018 um 19:39 schrieb Alex Smirnoff:
> > I dare to say any "external security audit" which considers that being a
> > problem is pefromed by morons that should be replaced ASAP.
>
> you have no idea from the real world
Guys,
Please watch your language. This is an open discussion list and it makes
your arguments moot if you turn it into a swearing contest. If you can't
add something in a meaningful tone then best keep it to yourself.
This list should be a place to find insights, help, solutions, ideas
etc.
Am 10.04.2018 um 19:39 schrieb Alex Smirnoff:
> I dare to say any "external security audit" which considers that being a
> problem is pefromed by morons that should be replaced ASAP.
you have no idea from the real world
external audits are typically ordered by customers and done by
independent
I dare to say any "external security audit" which considers that being a
problem is pefromed by morons that should be replaced ASAP.
No, I won't get fired, for sure. And I won't work for any employer where
I could get fired for standing my point.
On Tue, Apr 10, 2018 at 05:16:43PM +0200, Reindl H
Am 10.04.2018 um 17:12 schrieb Alex Smirnoff:
> Could you elaborate an attack scenario that depends on root certificate
> signature?
>
> The job of security scanner is not to point at any shit, it is to point
> at dangerous shit.
it's job is to point out shit which would lead to not survive a e
Could you elaborate an attack scenario that depends on root certificate
signature?
The job of security scanner is not to point at any shit, it is to point
at dangerous shit.
On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote:
> jesus add a override and you are done
>
> MD5/SHA1 certif
jesus add a override and you are done
MD5/SHA1 certificates are shit and it's th ejob of a security scanner to
point that out - for anything which you don't want to see local
overrides are the way to go
Am 07.04.2018 um 18:32 schrieb Alex Smirnoff:
> Huh?
>
> It is relevant. But it is irrelevant
Huh?
It is relevant. But it is irrelevant for anything that is self-signed.
Isn't it obvious?
On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote:
>
>
> Am 29.03.2018 um 20:29 schrieb Alex Smirnoff:
> > Could you elaborate, exactly how weak hash could matter for self-signed
> > certif
Am 29.03.2018 um 20:29 schrieb Alex Smirnoff:
Could you elaborate, exactly how weak hash could matter for self-signed
certificate? Without vague references like "if you don't want to trust
the NSA and NIST". I do not see any of those organisations stating that
weak hash is dangerous for a situa
Could you elaborate, exactly how weak hash could matter for self-signed
certificate? Without vague references like "if you don't want to trust
the NSA and NIST". I do not see any of those organisations stating that
weak hash is dangerous for a situation where signature itself is
irrelevant.
On Fri
Hi,
On 02.02.2018 22:18, Gareth Williams wrote:
> I can't add to this list (as far as my understanding
> goes) as the file is signed.
i think allowing this still makes sense in the scope of Private or
Corporate CAs. The "SSL/TLS: Certificate Signed Using A Weak Signature
Algorithm" was updated to
On Fri, Feb 2, 2018 at 3:18 PM, Gareth Williams
wrote:
> Hello,
>
> The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets
> confused if a server is using (and presumably sends as part of the TLS
> handshake) a Root CA certificate that is signed by a weak algorithm.
>
> This
14 matches
Mail list logo