[nycbug-talk] OpenVPN (was MD5 stuff)

Isaac Levy ike at lesmuug.org
Wed Jan 7 14:17:04 EST 2009

On Jan 7, 2009, at 1:59 PM, Dan Langille wrote:
> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote:
>> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:
>>> I think it would be funny if these guys made a real CA cert with  
>>> their
>>> exploit and started selling certs signed by their fake key for $2  
>>> each
>>> or something.  not illegitimate certs, like, email-contact-verified
>>> certs, the regular legitimate kind, just cheaper.  Why not?  It's
>>> probably even legal in some jurisdiction if not in most.  and most
>>> webmasters just want to turn the browser bar green.  It works now,  
>>> so
>>> for $2 why not?  I'd buy one.  If it starts turning browser bars red
>>> some day, buy a more expensive cert _some day_, not now. The whole
>>> cert thing was such a racket to begin with, i wish they'd start
>>> selling fake ones.
>> Insanely great idea, IMHO- I mean, why not?  It's like creating a new
>> currency (backed by insecurity).
>> --
>> Sidenote- everyone here who's dismissed OpenVPN, it almost goes
>> without saying that this is yet another rock in that bucket...
> That's a nice turn of phrase.  Never heard it before.
> Really?  People dismiss OpenVPN?  Seems to be an OK solution to me.
> Mind you, it doesn't matter what you pick, someone will dismiss it.
> It's been working flawlessly for my needs for the past month or so.

I do not use OpenVPN, (IPSec holds much more interest for me based on  
it's scope...), and with that, I have only a cursory understanding of  
it's mechanics.

With that, I stand corrected by Miles and csnyeder:

On Jan 6, 2009, at 9:55 AM, csnyder wrote:
> It's amazing just how helpless we are against the dumbing-down of TLS
> by browser vendors.

Indeed.  It seems, with a closer look, that OpenVPN would only be to  
the recent md5 based SSL attack if it was configured to use public/ 
auto-signing CA's.  I have no idea how likely this is out in the wild,  

On Jan 6, 2009, at 7:19 AM, Miles Nordin wrote:
> I'm not an openvpn fan, nor an x.509/asn/taxonomy-of-everything fan,
> but it's worth undrestanding the attack better than ``anything
> containing x.509 is no longer trustworthy!''


On Jan 6, 2009, at 9:55 AM, csnyder wrote:
> Could we just start the internet over, but not tell Verisign this  
> time?

I'm all for it.  Heck, there's more than Verisign I'd like to not tell  
this time...


More information about the talk mailing list