All, I've been having a look at how OpenVAS currently does crypto (primarily around the client/server SSL and plugin validation) and it strikes me that we have a significant over reliance on MD5 both for validating certificates and for validating plugins. For those of you that may not be aware MD5 is subject to significant collision attacks[1] that make it unsuitable for such purposes.
Changing how we validate plugins may require changes to the protocol and should therefore be formalised in a change request, however in the mean time, I would like to change how certificates are handled as soon as can reasonably be done and am interested in your opinions on this. Tim [1] http://www.win.tue.nl/hashclash/rogue-ca/ -- Tim Brown <mailto:t...@openvas.org> <http://www.openvas.org/> _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
