1) OpenSSL malformed signature checking: http://openssl.org/news/secadv_20090107.txt This effects a great number of products and installations. Who is affected? ================= Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Use of OpenSSL as an SSL/TLS client when connecting to a server whose certificate uses an RSA key is NOT affected. Verification of client certificates by OpenSSL servers for any key type is NOT affected. Recommendations for users of OpenSSL ===================================== Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue. The patch used is also appended to this advisory for users or distributions who wish to backport this patch to versions they build from source. Recommendations for projects using OpenSSL =========================================== Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled. As documented, this function returns 1 for a successful verification, 0 for failure, and -1 for an error. General recommendations ======================== Any server that has clients using OpenSSL verifying DSA or ECDSA certificates, regardless of the software used by the server, should either ensure that all clients are upgraded or stop using DSA/ECDSA certificates. Note that unless certificates are revoked (and clients check for revocation) impersonation will still be possible until the certificate expires. 2) MD5 Impersonation: An MD5 flaw has been suggested theoretically in various ways, but a complete proof of concept was not completely dissected, described and announced until December 30, 2008. I think that MD5 impersonation "discovery" is now owned by Alexander Sotirov, Mark Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger from the Netherlands, announced at Chaos on December 30, 2008 in Berlin - here's that presentation http://www.win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf Here's the HomeLand Security Recommendations two days later: [added Jan. 2] US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team, published Vulnerability Note VU#836068: "MD5 vulnerable to collision attacks". Interesting quotes from this note: "Do not use the MD5 algorithm" "Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.""Scrutinize SSL certificates signed by certificates using the MD5 algorithm" "Users may wish to manually analyze the properties of web site certificates (...) Certificates listed as md5RSA or similar are affected. Such certificates that include strange or suspicious fields or other anomalies may be fraudulent. Because there are no reliable signs of tampering it must be noted that this workaround is error-prone and impractical for most users." Here's Microsoft's Response (touting the EV certs of course and their update process [which was only released this week] which says it's released on 12/30/0): Do not sign digital certificates with MD5 Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.So if you guys discover something that doesn't make sense? Follow up on it. Dissect it and publish it in a big way.... Many of us ignored the DNS flaws described and exploited by Kaminsky for years. Believe me there are a great many working exploits before every published exploit. Yes, I was asleep working on a project....but Hans and I discussed some of the cert auth triangulation auth issues and wondered when it might be coming! > Date: Wed, 7 Jan 2009 16:19:17 -0700 > From: PLUGd@LuftHans.com > To: PLUG-discuss@lists.PLUG.phoenix.az.us > Subject: OpenSSL, MD5, CA security flaws, oh my > > moin moin, > > Lisa has probably posted the second issue, but I'm a bit behind on the > list. The first one appears to be from today and I don't see anything from > her today. > > http://openssl.org/news/secadv_20090107.txt > > OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still > safe, except... > > http://www.win.tue.nl/hashclash/rogue-ca/ > > Hmm, it's possible to impersonate a CA and create RSA certs that'll be > accepted :(. > > I think the 'Outline of the attack' section indicates that the original CA > certificate is needed, so CAs moving away from MD5 can avoid the problem. > > ciao, > > der.hans > -- > # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/ > # Strangers are friends just waiting to happen! > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _________________________________________________________________ Windows LiveTM HotmailŪ: Chat. Store. Share. Do more with mail. http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_hm_justgotbetter_howitworks_012009