The other day I stumbed upon a weired piece of software on howtoforge.com : dns-add (code on sourceforge.net). Actually, the purpose of dns-add was very intriguing : update your DNS in one command ! The output should look like this: …::: ISP-fW DNS add v1.0 :::… http://isp-fw.sourceforge.net/ –== copyleft 2005-2006 ==– | Free memory: 864 [...]
Archive of posts filed under the Cryptography category.
Updates on OpenSSL CVE-2009-3555 (client renegociation)
So there are some news from the front of OpenSSL CVE-2009-3555 (see this and this for the history). Now the latest version of Apache mod_ssl (2.2) embeds an option to reactivate old way client renegociation : SSLInsecureRenegotiation on Check the official doc for more details. With this option activated, you can now safely upgrade openSSL [...]
Possible use of SSL rogue certificates for spying purposes
Recent work of security researchers on SSL MiTM attacks have shown how fragile the whole Internet security design could be. But whereas some of these attacks concerns CA with insufficient security policies (md5 collisions) or some level of social engineering against the user (sslsniff), this paper alerts us on a more serious and stealth threat. [...]
SSL/TLS RFC updated against CVE-2009-3555
A solution has been finally brought up to fix CVE-2009-3555 and the temporary solution that broke client authentication. At least, the IETF agreed on a fix as Marsh Ray informs us, though it will still take some weeks for the whole validation process to complete. Moreover, as it requires both the servers and the clients [...]
OpenSSL : CVE-2009-3555 security fix and mod_ssl client authentication breakage
A security advisory on OpenSSL has recently been published. Details are there and there. It is vulnerable to a MiTM attack where the attacker can intercept and retrieve the credential to a trusted HTTPS website, by intercepting the session cookie sent back to the client. A proof of concept of an attack against Twitter was [...]
SHA-1 vulnerable : consider SHA-2
Not long after md5, the computation progress has made another victim. Last week, it was made public that the SHA-1 hash function should be now considered vulnerable. The discovery bring up that the computation to create a collision hash has been dramaticaly reduced. As a consequence, the SHA-1 function can’t warranty anymore the uniquity – [...]
MD5 in your SSL certificate ? No need to panic !
MD5 was found vulnerable a few years ago. Recently, a team succeeded in producing a fake CA SSL certificate. MD5 or SHA-1 is the algorithm used to authenticate the peer in SSL messages. If it gets compromised, and using various combined technics, it becomes possible to do a MiM attack. But too much noise has [...]
How to stop Firefox from prompting for the client certificate
I am using a client certificate to authenticate against some Apache HTTPS website. By default, Firefox 3 has a very annoying setting : it will prompt you with a box to select your certificate, every time the browser access to a file. I quickly realized that there is not setting in the preference tab to [...]
