[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

Ben Laurie benl at google.com
Fri Aug 8 10:51:34 EDT 2008

On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> This affects any web site and service provider of various natures. It's not
> exclusive for OpenID nor for any other protocol / standard / service! It may
> affect an OpenID provider if it uses a compromised key in combination with
> unpatched DNS servers. I don't understand why OpenID is singled out, since
> it can potentially affect any web site including Google's various services
> (if Google would have used Debian systems to create their private keys).

OpenID is "singled out" because I am not talking about a potential
problem but an actual problem.

We have spotted other actual problems in other services. Details will
be forthcoming at appropriate times.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list