Eric Rescorla [EMAIL PROTECTED] writes:
It's easy to compute all the public keys that will be generated
by the broken PRNG. The clients could embed that list and refuse
to accept any certificate containing one of them. So, this
is distinct from CRLs in that it doesn't require knowing
which
Roger A. Grimes [EMAIL PROTECTED] writes:
I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
here. I, the attacker, have to make you download my malicious trojan program,
which you install on your computer.
It's not so much the attack vector, it's the usability issue.
(The original article was cross-posted to a lot of lists, maybe the discussion
could be moved to vuln-dev only, unless everyone wants to see all of this
stuff).
Roger A. Grimes [EMAIL PROTECTED] writes:
Yes, this is a new attack vector, but it is always game over anyway if I
can get you to run
Thierry Zoller [EMAIL PROTECTED] writes:
PG No, this is an entirely new level of attack,
New level of attack, what makes you believe that?
Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the spam, or
Elias Levy [EMAIL PROTECTED] writes:
Actually checking most of the CA certificates shipped with IE less than half
have a CPD field. Of the big CA only Entrust seems to use the field.
That's not surprising, they invented and, I believe, patented the thing.
Peter.
"Sinclair, Roy" [EMAIL PROTECTED] writes:
Some information regarding Verisign Certificates that has come out of this
fiasco is quite disturbing but has been under reported and may have been
missed by many in the security business.
Pay close attention to this paragraph from the Frequently Asked
Dave Tarbatt - ACS [EMAIL PROTECTED] writes:
I've been looking into disk quotas under Windows 2000 and have uncovered a
few anomalies. On top of a few peculiarities there appears to be a bug which
allows a user to exceed their disk quota by as much as they wish.
[...]
I discovered by