[nycbug-talk] OpenVPN (was MD5 stuff)
Isaac Levy
ike at lesmuug.org
Wed Jan 7 14:17:04 EST 2009
On Jan 7, 2009, at 1:59 PM, Dan Langille wrote:
> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote:
>> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:
>>
>>> I think it would be funny if these guys made a real CA cert with
>>> their
>>> exploit and started selling certs signed by their fake key for $2
>>> each
>>> or something. not illegitimate certs, like, email-contact-verified
>>> certs, the regular legitimate kind, just cheaper. Why not? It's
>>> probably even legal in some jurisdiction if not in most. and most
>>> webmasters just want to turn the browser bar green. It works now,
>>> so
>>> for $2 why not? I'd buy one. If it starts turning browser bars red
>>> some day, buy a more expensive cert _some day_, not now. The whole
>>> cert thing was such a racket to begin with, i wish they'd start
>>> selling fake ones.
>>
>> Insanely great idea, IMHO- I mean, why not? It's like creating a new
>> currency (backed by insecurity).
>>
>> --
>> Sidenote- everyone here who's dismissed OpenVPN, it almost goes
>> without saying that this is yet another rock in that bucket...
>
> That's a nice turn of phrase. Never heard it before.
>
> Really? People dismiss OpenVPN? Seems to be an OK solution to me.
> Mind you, it doesn't matter what you pick, someone will dismiss it.
>
> It's been working flawlessly for my needs for the past month or so.
I do not use OpenVPN, (IPSec holds much more interest for me based on
it's scope...), and with that, I have only a cursory understanding of
it's mechanics.
With that, I stand corrected by Miles and csnyeder:
On Jan 6, 2009, at 9:55 AM, csnyder wrote:
> It's amazing just how helpless we are against the dumbing-down of TLS
> by browser vendors.
Indeed. It seems, with a closer look, that OpenVPN would only be to
the recent md5 based SSL attack if it was configured to use public/
auto-signing CA's. I have no idea how likely this is out in the wild,
but...
On Jan 6, 2009, at 7:19 AM, Miles Nordin wrote:
> I'm not an openvpn fan, nor an x.509/asn/taxonomy-of-everything fan,
> but it's worth undrestanding the attack better than ``anything
> containing x.509 is no longer trustworthy!''
Indeed.
On Jan 6, 2009, at 9:55 AM, csnyder wrote:
> Could we just start the internet over, but not tell Verisign this
> time?
I'm all for it. Heck, there's more than Verisign I'd like to not tell
this time...
http://www.youtube.com/watch?v=F7z8NRUFyN0
Rocket,
.ike
More information about the talk
mailing list