Links

Ben Laurie blathering


OpenID/Debian PRNG/DNS Cache Poisoning

Where “P” stands for “Predictable”.

Richard Clayton and I today released a security advisory showing how three independent vulnerabilities combine to make a rather scary mess, mitigated only by the fact that no-one protects anything very valuable with OpenID anyway. But just think how much worse it could have been (on which I shall write more soon)!

4 Comments »

  1. [...] second glop hits today when Ben Laurie of Google points out the unfortunate convergence between the DNS vulnerability and the Debian private key generate [...]

    Pingback by Hitting the fan « Identity Blogger — 8 Aug 2008 @ 13:46

  2. I already see a response from Sun at http://blogs.sun.com/racingsnake/entry/one_factor_trust_multi_factor

    Comment by Mads — 8 Aug 2008 @ 16:29

  3. [...] LinksThe Rest I Just Squandered « OpenID/Debian PRNG/DNS Cache Poisoning [...]

    Pingback by Links » NYT Doesn’t Quite Get It, Hilarity From OpenID — 10 Aug 2008 @ 13:36

  4. Nice work. I was amused to see that Sun chose to use Debian for generating their certificate. Don’t they have their own operating system? :-)

    Comment by Steven Murdoch — 10 Aug 2008 @ 14:29

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

Close
E-mail It