[SSL Observatory] Widespread RNG vulnerabilities discovered using Observatory data
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 15 16:05:53 PST 2012
Peter Eckersley <pde at eff.org> writes:
>This seems consistent with Nadia Heninger's claim that these are exclusively
>routers, VPN devices and other embedded systems:
The state of keys in routers and the like is pretty bad, pre-provisioned fixed
keys shared across multiple devices, use of identical serial numbers and DNs
(so browsers see it as an attack/cert-spoofing), done by a whole slew of
vendors including Astaro, Cisco, Dell, Fortigate, Fujitsu Siemens, HP, Linksys,
Sonicwall, Zimbra, and Zyxel, and a range of other horrors. It's so
consistently bad that I've recommended for cert-consuming apps that if you see
a completely broken cert coming from a device in the same subnet and/or on the
default gateway then to ignore any problems since it's a normal state of
affairs.
Peter.
More information about the Observatory
mailing list