[SSL Observatory] Widespread RNG vulnerabilities discovered using Observatory data
Phillip Hallam-Baker
hallam at gmail.com
Wed Feb 15 16:40:59 PST 2012
Umm I should probably declare a personal(i.e. through Default Deny
Security) interest in patent-pending technology that is designed to
address that particular problem area.
All rights reserved etc. I can provide details on request.
I spent a long time trying to make public key work on embedded devices
and came up with the conclusion that it is not what is needed.
On Wed, Feb 15, 2012 at 7:05 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Peter Eckersley <pde at eff.org> writes:
>
>>This seems consistent with Nadia Heninger's claim that these are exclusively
>>routers, VPN devices and other embedded systems:
>
> The state of keys in routers and the like is pretty bad, pre-provisioned fixed
> keys shared across multiple devices, use of identical serial numbers and DNs
> (so browsers see it as an attack/cert-spoofing), done by a whole slew of
> vendors including Astaro, Cisco, Dell, Fortigate, Fujitsu Siemens, HP, Linksys,
> Sonicwall, Zimbra, and Zyxel, and a range of other horrors. It's so
> consistently bad that I've recommended for cert-consuming apps that if you see
> a completely broken cert coming from a device in the same subnet and/or on the
> default gateway then to ignore any problems since it's a normal state of
> affairs.
>
> Peter.
--
Website: http://hallambaker.com/
More information about the Observatory
mailing list