Umm I should probably declare a personal(i.e. through Default Deny Security) interest in patent-pending technology that is designed to address that particular problem area.
All rights reserved etc. I can provide details on request. I spent a long time trying to make public key work on embedded devices and came up with the conclusion that it is not what is needed. On Wed, Feb 15, 2012 at 7:05 PM, Peter Gutmann <[email protected]> wrote: > Peter Eckersley <[email protected]> writes: > >>This seems consistent with Nadia Heninger's claim that these are exclusively >>routers, VPN devices and other embedded systems: > > The state of keys in routers and the like is pretty bad, pre-provisioned fixed > keys shared across multiple devices, use of identical serial numbers and DNs > (so browsers see it as an attack/cert-spoofing), done by a whole slew of > vendors including Astaro, Cisco, Dell, Fortigate, Fujitsu Siemens, HP, > Linksys, > Sonicwall, Zimbra, and Zyxel, and a range of other horrors. It's so > consistently bad that I've recommended for cert-consuming apps that if you see > a completely broken cert coming from a device in the same subnet and/or on the > default gateway then to ignore any problems since it's a normal state of > affairs. > > Peter. -- Website: http://hallambaker.com/
