|
|
SSL cryptographic web browser vulnerability
http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
provides details of a cryptographic vulnerability in the SSL implementation
of a large number of web browsers.
The attack allows someone to forge arbitrary certificates if the signing
certificate has a public exponent of 3. The forgery will not be detected by
affected browsers which have root certificates with an RSA public exponent
of 3 installed - there are a number of such certificates installed in common
browsers.
The recommendation is to upgrade to the latest unaffected versions of
browsers.
Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is likely
that the version of Mozilla on VMS is vulnerable.
Details are also on the Mozilla site at
http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
David Webb
Security team leader
CCSS
Middlesex University
|
|
0
|
|
|
|
Reply
|
 david20
|
9/20/2006 1:59:50 PM |
|
david20@alpha2.mdx.ac.uk wrote:
> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>
> provides details of a cryptographic vulnerability in the SSL implementation
> of a large number of web browsers.
>
> The attack allows someone to forge arbitrary certificates if the signing
> certificate has a public exponent of 3. The forgery will not be detected by
> affected browsers which have root certificates with an RSA public exponent
> of 3 installed - there are a number of such certificates installed in common
> browsers.
>
> The recommendation is to upgrade to the latest unaffected versions of
> browsers.
>
> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is likely
> that the version of Mozilla on VMS is vulnerable.
>
> Details are also on the Mozilla site at
>
> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
>
>
>
>
> David Webb
> Security team leader
> CCSS
> Middlesex University
Well I hope that HP is going to take some steps to correct this for the
VMS browsers. For now I'm yanking the affected certificates, but as
the article notes thats not a fix, just a preventive measure.
|
|
|
0
|
|
|
|
Reply
|
 jordan (1203)
|
9/20/2006 3:18:30 PM
|
|
According to
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
HP SSL Version 1.3 for OpenVMS is based on OpenSSL OpenSSL 0.9.7e and
was released on 01-SEP-2006 which is before OpenSSL released the fixes
for this problem. So I think HP SSL V1.3 will have the problem.
|
|
|
0
|
|
|
|
Reply
|
 ijm (351)
|
9/20/2006 5:32:30 PM
|
|
In article <eerhgl$5g9$1@south.jnrs.ja.net>, david20@alpha2.mdx.ac.uk writes:
> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>
> provides details of a cryptographic vulnerability in the SSL implementation
> of a large number of web browsers.
>
> The attack allows someone to forge arbitrary certificates if the signing
> certificate has a public exponent of 3. The forgery will not be detected by
> affected browsers which have root certificates with an RSA public exponent
> of 3 installed - there are a number of such certificates installed in common
> browsers.
>
> The recommendation is to upgrade to the latest unaffected versions of
> browsers.
>
> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is likely
> that the version of Mozilla on VMS is vulnerable.
>
> Details are also on the Mozilla site at
>
> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
>
Because the problem is in OpenSSL, VMS Mosaic is also vulnerable. See
http://www.openssl.org/news/secadv_20060905.txt
for the OpenSSL Security Advisory which explains how to update OpenSSL
to remove the vulnerability.
The current release of HP SSL should also have the vulnerability. Users
of VMS Mosaic with HP SSL should either remove the vulnerable certificates
from CERT.PEM or switch to an updated release of OpenSSL.
George Cook
WVNET
|
|
|
0
|
|
|
|
Reply
|
 cook (261)
|
9/20/2006 7:02:29 PM
|
|
David,
Please don't discuss security issues in a public forum. If you do then,
before you know it, users will start asking questions and we'll actually
have to start fixing things, and then they'll be releases and it all get's
very messy.
Just tell Hoff the problem and he'll decide who get's to hear about it on a
needs-to-know basis. Ok?
"Wouldya tie it up with wy-er, just to keep the show on the road; hey True
Blue. ."
Regards Richard Maher
PS. I never doubted the Eagles for a minute :-) Now *that's* character!
<david20@alpha2.mdx.ac.uk> wrote in message
news:eerhgl$5g9$1@south.jnrs.ja.net...
>
>
> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>
> provides details of a cryptographic vulnerability in the SSL
implementation
> of a large number of web browsers.
>
> The attack allows someone to forge arbitrary certificates if the signing
> certificate has a public exponent of 3. The forgery will not be detected
by
> affected browsers which have root certificates with an RSA public exponent
> of 3 installed - there are a number of such certificates installed in
common
> browsers.
>
> The recommendation is to upgrade to the latest unaffected versions of
> browsers.
>
> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is
likely
> that the version of Mozilla on VMS is vulnerable.
>
> Details are also on the Mozilla site at
>
> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
>
>
>
>
> David Webb
> Security team leader
> CCSS
> Middlesex University
>
|
|
|
0
|
|
|
|
Reply
|
 maher_rj (1626)
|
9/23/2006 8:41:40 AM
|
|
In article <ef2rpo$dpq$1@news-02.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
>David,
>
>Please don't discuss security issues in a public forum. If you do then,
>before you know it, users will start asking questions and we'll actually
>have to start fixing things, and then they'll be releases and it all get's
>very messy.
>
There is a big difference in posting information about a new vulnerability in a
public forum and posting lnformation about vulnerabilities already in the
public arena.
In the first case you are giving ammunition to potential hackers thereby
reducing user's security.
In the second case the information has already been divulged and you are
providing a warning to users so that they can try to mitigate the risk.
David Webb
Security team leader
CCSS
Middlesex University
>Just tell Hoff the problem and he'll decide who get's to hear about it on a
>needs-to-know basis. Ok?
>
>"Wouldya tie it up with wy-er, just to keep the show on the road; hey True
>Blue. ."
>
>Regards Richard Maher
>
>PS. I never doubted the Eagles for a minute :-) Now *that's* character!
>
><david20@alpha2.mdx.ac.uk> wrote in message
>news:eerhgl$5g9$1@south.jnrs.ja.net...
>>
>>
>> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>>
>> provides details of a cryptographic vulnerability in the SSL
>implementation
>> of a large number of web browsers.
>>
>> The attack allows someone to forge arbitrary certificates if the signing
>> certificate has a public exponent of 3. The forgery will not be detected
>by
>> affected browsers which have root certificates with an RSA public exponent
>> of 3 installed - there are a number of such certificates installed in
>common
>> browsers.
>>
>> The recommendation is to upgrade to the latest unaffected versions of
>> browsers.
>>
>> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is
>likely
>> that the version of Mozilla on VMS is vulnerable.
>>
>> Details are also on the Mozilla site at
>>
>> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
>>
>>
>>
>>
>> David Webb
>> Security team leader
>> CCSS
>> Middlesex University
>>
>
>
|
|
|
0
|
|
|
|
Reply
|
david20
|
9/23/2006 11:41:08 AM
|
|
david20@alpha2.mdx.ac.uk wrote:
> In article <ef2rpo$dpq$1@news-02.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
> >David,
> >
> >Please don't discuss security issues in a public forum. If you do then,
> >before you know it, users will start asking questions and we'll actually
> >have to start fixing things, and then they'll be releases and it all get's
> >very messy.
> >
>
> There is a big difference in posting information about a new vulnerability in a
> public forum and posting lnformation about vulnerabilities already in the
> public arena.
>
> In the first case you are giving ammunition to potential hackers thereby
> reducing user's security.
> In the second case the information has already been divulged and you are
> providing a warning to users so that they can try to mitigate the risk.
>
>
>
> David Webb
> Security team leader
> CCSS
> Middlesex University
>
> >Just tell Hoff the problem and he'll decide who get's to hear about it on a
> >needs-to-know basis. Ok?
> >
> >"Wouldya tie it up with wy-er, just to keep the show on the road; hey True
> >Blue. ."
> >
> >Regards Richard Maher
> >
> >PS. I never doubted the Eagles for a minute :-) Now *that's* character!
> >
> ><david20@alpha2.mdx.ac.uk> wrote in message
> >news:eerhgl$5g9$1@south.jnrs.ja.net...
> >>
> >>
> >> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
> >>
> >> provides details of a cryptographic vulnerability in the SSL
> >implementation
> >> of a large number of web browsers.
> >>
> >> The attack allows someone to forge arbitrary certificates if the signing
> >> certificate has a public exponent of 3. The forgery will not be detected
> >by
> >> affected browsers which have root certificates with an RSA public exponent
> >> of 3 installed - there are a number of such certificates installed in
> >common
> >> browsers.
> >>
> >> The recommendation is to upgrade to the latest unaffected versions of
> >> browsers.
> >>
> >> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is
> >likely
> >> that the version of Mozilla on VMS is vulnerable.
> >>
> >> Details are also on the Mozilla site at
> >>
> >> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
> >>
> >>
Don't worry though, this vunerability is not listed by CERT so certain
posters to this group can rest safe in the knowledge that if it isn't
listed it doesn't exist.
Regards
Andrew Harrison
> >>
> >>
> >> David Webb
> >> Security team leader
> >> CCSS
> >> Middlesex University
> >>
> >
> >
|
|
|
0
|
|
|
|
Reply
|
Andrew
|
9/25/2006 10:45:29 AM
|
|
In article <1159181129.417906.170860@k70g2000cwa.googlegroups.com>, "Andrew" <andrew_harrison@symantec.com> writes:
>
>david20@alpha2.mdx.ac.uk wrote:
>> In article <ef2rpo$dpq$1@news-02.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
>> >David,
>> >
>> >Please don't discuss security issues in a public forum. If you do then,
>> >before you know it, users will start asking questions and we'll actually
>> >have to start fixing things, and then they'll be releases and it all get's
>> >very messy.
>> >
>>
>> There is a big difference in posting information about a new vulnerability in a
>> public forum and posting lnformation about vulnerabilities already in the
>> public arena.
>>
>> In the first case you are giving ammunition to potential hackers thereby
>> reducing user's security.
>> In the second case the information has already been divulged and you are
>> providing a warning to users so that they can try to mitigate the risk.
>>
>>
>>
>> David Webb
>> Security team leader
>> CCSS
>> Middlesex University
>>
>> >Just tell Hoff the problem and he'll decide who get's to hear about it on a
>> >needs-to-know basis. Ok?
>> >
>> >"Wouldya tie it up with wy-er, just to keep the show on the road; hey True
>> >Blue. ."
>> >
>> >Regards Richard Maher
>> >
>> >PS. I never doubted the Eagles for a minute :-) Now *that's* character!
>> >
>> ><david20@alpha2.mdx.ac.uk> wrote in message
>> >news:eerhgl$5g9$1@south.jnrs.ja.net...
>> >>
>> >>
>> >> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>> >>
>> >> provides details of a cryptographic vulnerability in the SSL
>> >implementation
>> >> of a large number of web browsers.
>> >>
>> >> The attack allows someone to forge arbitrary certificates if the signing
>> >> certificate has a public exponent of 3. The forgery will not be detected
>> >by
>> >> affected browsers which have root certificates with an RSA public exponent
>> >> of 3 installed - there are a number of such certificates installed in
>> >common
>> >> browsers.
>> >>
>> >> The recommendation is to upgrade to the latest unaffected versions of
>> >> browsers.
>> >>
>> >> Versions of Mozilla/SeaMonkey and Netscape are vulnerable - hence it is
>> >likely
>> >> that the version of Mozilla on VMS is vulnerable.
>> >>
>> >> Details are also on the Mozilla site at
>> >>
>> >> http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
>> >>
>> >>
>
>Don't worry though, this vunerability is not listed by CERT so certain
>posters to this group can rest safe in the knowledge that if it isn't
>listed it doesn't exist.
>
Well it is listed on US-Cert in vulnerability note VU#845620
CVE Name : CVE-2006-4339
See
http://www.kb.cert.org/vuls/id/845620
Though the fact that the vulnerability reported by Bleichenbacher could be used
in particular to attack many browsers isn't highlighted.
David Webb
Security team leader
CCSS
Middlesex University
>Regards
>Andrew Harrison
>> >>
>> >>
>> >> David Webb
>> >> Security team leader
>> >> CCSS
>> >> Middlesex University
>> >>
>> >
>> >
>
|
|
|
0
|
|
|
|
Reply
|
david20
|
9/25/2006 12:16:30 PM
|
|
|
7 Replies
31 Views
(page loaded in 0.13 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
20448 articles. 
10 followers. 
karcher
vaxima
munk
remailer2
vaxima6
jfmezei.spamnot