Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Jeffrey Walton
On Mon, Dec 20, 2010 at 7:04 PM, BMF wrote: > On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner wrote: >> The LittleBlackBox project contains a database of over 2,000 (and growing) >> private SSL keys that are correlated with their respective public >> certificates, and hardware/firmware versions. W

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread coderman
On Mon, Dec 20, 2010 at 4:04 PM, BMF wrote: >... > Most of what I have read so far indicates that these secret keys can > be used to sniff only administrative traffic to the device itself. right. considering 97.3% of these devices have trivial XSRF, remote access, and other vectors wide open this

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread BMF
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner wrote: > The LittleBlackBox project contains a database of over 2,000 (and growing) > private SSL keys that are correlated with their respective public > certificates, and hardware/firmware versions. While most of these > certificates are from DD-WRT

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Thor (Hammer of God)
eems like an obvious concern, but it is still interesting. t > -Original Message- > From: Michal Zalewski [mailto:lcam...@coredump.cx] > Sent: Monday, December 20, 2010 8:16 AM > To: Thor (Hammer of God) > Cc: Craig Heffner; full-disclosure@lists.grok.org.uk > Subj

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Michal Zalewski
> These manufacturers use the same key on each of their models?  That seems > ridiculous to me... As a person who had a Siemens AP / router with a hardcoded, hidden "management" account on it, I find your surprise entertaining ;-) Craig, cool project. /mz ___

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Craig Heffner
>From a security standpoint, it is. But it's easier and probably more cost effective for the manufacturer. Sometimes the key will be different between firmware versions, sometimes it won't. Sometimes the same key will be used for two different models. It just depends. Some models don't have hard c

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-20 Thread Larry Seltzer
:18 PM *To:* Craig Heffner; full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] Default SSL Keys in Multiple Routers These manufacturers use the same key on each of their models? That seems ridiculous to me... T -- *From: *Craig Heffner *Sent: *Sunday

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-19 Thread Thor (Hammer of God)
-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Default SSL Keys in Multiple Routers >From a security standpoint, it is. But it's easier and probably more cost >effective for the manufacturer. Sometimes the key will be different between firmware versions, sometime

Re: [Full-disclosure] Default SSL Keys in Multiple Routers

2010-12-19 Thread Thor (Hammer of God)
These manufacturers use the same key on each of their models? That seems ridiculous to me... T From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many r