[SSL Observatory] Widespread RNG vulnerabilities discovered using Observatory data
Chris Palmer
snackypants at gmail.com
Thu Feb 16 21:28:53 PST 2012
On 15 févr. 2012, at 13:37, Ondrej Mikle wrote:
> For example, I've run into a dead-end when reporting yet-unknown
> certs with weak 512-bit keys with the right KU and EKU extensions for code
> signing to a CA
A bit off-topic, but that's never stopped me before: We are working on folding tests for basic sanity into Chrome (for example, we now reject < 1024-bit RSA or DSA keys at run-time, and we reject weak signing algorithms). Enforcing as many of the EV guidelines at run-time is also on our list.
Other key- and certificate-using software should also incorporate what checks are feasible and reasonable too.
That doesn't really solve the problem of telling the owners of the weak key/cert, but it does help users avoid the weaknesses at run-time. (And that's a good way to suddenly start hearing from the people who issued the 512-bit key...)
More information about the Observatory
mailing list