1) OpenSSL malformed signature checking:

http://openssl.org/news/secadv_20090107.txt

This effects a great number of products and installations.

Who is affected?
=================

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
=====================================

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source.

Recommendations for projects using OpenSSL
===========================================

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled. As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
========================

Any server that has clients using OpenSSL verifying DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or stop using DSA/ECDSA
certificates. Note that unless certificates are revoked (and clients
check for revocation) impersonation will still be possible until the
certificate expires.
2) MD5 Impersonation:

An MD5 flaw has been suggested theoretically in various ways, but a complete proof of concept was not completely dissected, described and announced until December 30, 2008.  I think that MD5 impersonation "discovery" is now owned by Alexander Sotirov, Mark Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger from the Netherlands, announced at Chaos on December 30, 2008 in Berlin - here's that presentation  http://www.win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf

Here's the HomeLand Security Recommendations two days later:

[added Jan. 2] US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team, published Vulnerability Note VU#836068: "MD5 vulnerable to collision attacks". Interesting quotes from this note:

Here's Microsoft's Response (touting the EV certs of course and their update process [which was only released this week] which says it's released on 12/30/0):

Do not sign digital certificates with MD5
Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.

So if you guys discover something that doesn't make sense?  Follow up on it.  Dissect it and publish it in a big way....  Many of us ignored the DNS flaws described and exploited by Kaminsky for years.  Believe me there are a great many working exploits before every published exploit.













Yes, I was asleep working on a project....but Hans and I discussed some of the cert auth triangulation auth issues and wondered when it might be coming!


> Date: Wed, 7 Jan 2009 16:19:17 -0700
> From: PLUGd@LuftHans.com
> To: PLUG-discuss@lists.PLUG.phoenix.az.us
> Subject: OpenSSL, MD5, CA security flaws, oh my
>
> moin moin,
>
> Lisa has probably posted the second issue, but I'm a bit behind on the
> list. The first one appears to be from today and I don't see anything from
> her today.
>
> http://openssl.org/news/secadv_20090107.txt
>
> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
> safe, except...
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
> accepted :(.
>
> I think the 'Outline of the attack' section indicates that the original CA
> certificate is needed, so CAs moving away from MD5 can avoid the problem.
>
> ciao,
>
> der.hans
> --
> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
> # Strangers are friends just waiting to happen!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


Windows LiveTM HotmailŪ: Chat. Store. Share. Do more with mail. See how it works.