'Re: [cap-talk] SANS Institute's "25 Most Dangerous Programming'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    Re: [cap-talk] SANS Institute's "25 Most Dangerous Programming
From:       Tyler Close <tyler.close () gmail ! com>
Date:       2009-01-13 1:04:29
Message-ID: 5691356f0901121704u1569522cu632fc7aa432280ed () mail ! gmail ! com
[Download RAW message or body]

I like the idea of working through this list, explaining how Confused
Deputy applies. That TODO list just keeps growing...

On Mon, Jan 12, 2009 at 4:31 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> erights@gmail.com (Mark Miller) on Monday, January 12, 2009 wrote:
>>CWE-327: Use of a Broken or Risky Cryptographic Algorithm
> E: VatTP uses 3DES, 1K bit Diffie-Hellman, SHA1, and DSA. 3DES is still
> considered secure, if a bit quaint. SHA1 is falling to attack and NIST
> wants if out of use by the federal government by 2010. 1K bit for the
> Diffie-Hellman is now considered a bit small, but is still OK. DSA depends
> on SHA1, but I don't know about possible replacements. Waterken/Joe-E and
> Caja: Depend on algorithms implemented by servers, clients, and certificate
> authorities (CAs). Unless tweaked by the server's sysops, web servers
> probably will negotiate weak algorithms. May be vulnerable to the MD5
> attacks on CAs.

The Waterken server restricts the accepted ciphersuites to:

            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
            "TLS_RSA_WITH_AES_128_CBC_SHA",
            "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
            "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
            "SSL_RSA_WITH_3DES_EDE_CBC_SHA"

Server certificates generated by the Waterken server use
"SHA1withRSA". So I don't put out any MD5, but I'm stuck with SHA1. I
don't currently reject received certificates that use MD5. Should I? I
suppose so.

Not that any of this matters of course, since once you can forge your
own widely accepted CA cert, the browser's Same Origin Policy will
allow you to pull data out of any browser window you like. It was sad
to read the blog posts claiming you were safe if you had an EV cert or
a Verisign cert. There was even such a post by a Verisign employee:

"""
Q: The researchers stated that Extended Validation SSL is a defense
against this problem. Is that true?
A: Yes. The Extended Validation SSL Certificate standards prohibit the
use of MD5. So no EV certificate in compliance with the standards uses
MD5. I can tell you factually that no EV SSL Certificate on the
VeriSign, thawte, or GeoTrust brands uses MD5.
"""

"Tim Callan's SSL Blog - Online Security"
https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

Naughty, naughty.

--Tyler
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread] 