[Owasp-singapore] [security-77] Is Opera web browser being too strict in this case?

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Thu May 28 22:33:26 EDT 2009


Looks like someone else has replied. In any case, the reason why Opera
behaves so is summaries as follows:

This dialog will pop up if:


·     SSL v2
·     Encryption methods using 40 or 56 bit keys
·     Key exchange performed using RSA or Diffie-Hellman (DH) keys less
than 900 bits long. (Keys less than 1020 bits long will reduce the security
level by one point).

RSA/DH keys shorter than 900 bits


These keys are used to protect the encryption keys for all transactions
with the server, if these keys are broken all communcition that has been
exchanged with the server from the time the key was created until it is
replaced sometime in the future is a wide open book. And that is not all:
Once these keys are broken an attacker can modify the information exchanged
between you and the server, and there is no way to detect such changes in
the protocol! The only way to find out is to check the information you have
with the information available at the server, and that checking must be
done in a different fashion since you cannot trust the protocol for such
audits.


Several years ago a 512 bit RSA key was broken in, effectively, 10-12 weeks
(they used 7-8 months computing by night on a few hundred workstations).
Today the same job could probably be done in less than 4 weeks, possibly
much less depending on how many computers you throw at it, and other
improvements in the art of factoring large numbers). Since such a key is
usually used for at least one year that means that keys of this length was
no longer adequate protection for any information that needed to be kept
secure for more than a few weeks.


With 8-cores desktops nowadays, script kiddies can probably do it within a
fortnight.





The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
firm to a limited liability partnership.

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Associates Pte Ltd is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Risk Advisory Services Pte. Ltd. is a company incorporated in
Singapore with UEN 200202390R.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.

                                                                           
             Wong Onn Chee                                                 
             <ocwong at usa.net>                                              
             Sent by:                                                   To 
             owasp-singapore-b         security-77 at meetup.com,             
             ounces at lists.owas         owasp-singapore at lists.owasp.org     
             p.org                                                      cc 
                                                                           
                                                                   Subject 
             28/05/2009 10:59          Re: [Owasp-singapore] [security-77] 
             PM                        Is Opera web browser being too      
                                       strict in this case?                
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Thanks for the update, Ryan.

However, other browsers, such as FF and IE, seem to accept such short
key length as ok.

There seems to be no standard treatment of what is deemed as
insufficient and what is sufficient encryption between browsers.

Will like to hear the feedback from the group regarding this.

Regards
Onn Chee


Ryan Koh wrote:
> Hi,
>
> Its not the TLSv1 that Opera has an issue with, its because the 512
> bit public key is too short.
>
> Regards,
> Ryan
>
> Wong Onn Chee wrote:
>> Hi folks,
>>
>> I did an online payment recently via my non-default web browser, Opera,
>> and I encountered the attached pop-up warning.
>>
>> Seems like Opera feels that TLSv1 is weak.
>>
>> Any one care to enlighten me why?
>>
>> Thanks.
>>
>> Regards
>> Onn Chee
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone
on this mailing list (security-77 at meetup.com)
>> http://security.meetup.com/77/
>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The
Singapore Security Meetup Group.
>> To learn more about Wong Onn Chee, visit his/her member profile:
http://security.meetup.com/77/members/1756147/
>> To unsubscribe or to update your mailing list settings, click here:
http://www.meetup.com/account/comm/
>> Meetup Support: support at meetup.com
>> 632 Broadway, New York, NY 10012 USA
>>
>>
>> ------------------------------------------------------------------------
>>
>
>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Ryan Koh (ryan at c26labs.com) from The
> Singapore Security Meetup Group <http://security.meetup.com/77/>.
> To learn more about Ryan Koh, visit his/her member profile
> <>http://security.meetup.com/77/members/9062810/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/account/comm/>
>
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA
> ------------------------------------------------------------------------
>

_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore




More information about the Owasp-singapore mailing list