Ben Laurie blathering

OpenID/Debian PRNG/DNS Cache Poisoning

Where “P” stands for “Predictable”.

Richard Clayton and I today released a security advisory showing how three independent vulnerabilities combine to make a rather scary mess, mitigated only by the fact that no-one protects anything very valuable with OpenID anyway. But just think how much worse it could have been (on which I shall write more soon)!


  1. […] second glop hits today when Ben Laurie of Google points out the unfortunate convergence between the DNS vulnerability and the Debian private key generate […]

    Pingback by Hitting the fan « Identity Blogger — 8 Aug 2008 @ 13:46

  2. I already see a response from Sun at

    Comment by Mads — 8 Aug 2008 @ 16:29

  3. […] LinksThe Rest I Just Squandered « OpenID/Debian PRNG/DNS Cache Poisoning […]

    Pingback by Links » NYT Doesn’t Quite Get It, Hilarity From OpenID — 10 Aug 2008 @ 13:36

  4. Nice work. I was amused to see that Sun chose to use Debian for generating their certificate. Don’t they have their own operating system? 🙂

    Comment by Steven Murdoch — 10 Aug 2008 @ 14:29

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress