[Owasp-singapore] [security-77] Is Opera web browser being too strict in this case?

Wong Onn Chee ocwong at usa.net
Thu May 28 22:47:34 EDT 2009


Thanks for the insight, Winston.

This weak encryption is being used by the IRAS payment vendor for
e-payment of taxes.

Any one in the group who knows the person(s) responsible in IRAS?
We need to inform them asap.

*Sign* Another case of SG Govt agency being short-changed by their
outsourced vendor beside the one I reported previously.
I don't find it amusing that govt vendors keep short-changing basic
security at the expense of taxpayers.

Martin, can you help inform IRAS about this?


Winston.Leong at sg.ey.com wrote:
> Looks like someone else has replied. In any case, the reason why Opera
> behaves so is summaries as follows:
>
> This dialog will pop up if:
>
>
> �     SSL v2
> �     Encryption methods using 40 or 56 bit keys
> �     Key exchange performed using RSA or Diffie-Hellman (DH) keys less
> than 900 bits long. (Keys less than 1020 bits long will reduce the security
> level by one point).
>
> RSA/DH keys shorter than 900 bits
>
>
> These keys are used to protect the encryption keys for all transactions
> with the server, if these keys are broken all communcition that has been
> exchanged with the server from the time the key was created until it is
> replaced sometime in the future is a wide open book. And that is not all:
> Once these keys are broken an attacker can modify the information exchanged
> between you and the server, and there is no way to detect such changes in
> the protocol! The only way to find out is to check the information you have
> with the information available at the server, and that checking must be
> done in a different fashion since you cannot trust the protocol for such
> audits.
>
>
> Several years ago a 512 bit RSA key was broken in, effectively, 10-12 weeks
> (they used 7-8 months computing by night on a few hundred workstations).
> Today the same job could probably be done in less than 4 weeks, possibly
> much less depending on how many computers you throw at it, and other
> improvements in the art of factoring large numbers). Since such a key is
> usually used for at least one year that means that keys of this length was
> no longer adequate protection for any information that needed to be kept
> secure for more than a few weeks.
>
>
> With 8-cores desktops nowadays, script kiddies can probably do it within a
> fortnight.
>
>
>
>
>
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. We are neither liable for the proper and complete transmission of
> the information contained in this communication nor for any delay in its
> receipt.
>
> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
> firm to a limited liability partnership.
>
> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Associates Pte Ltd is a company incorporated in Singapore
> with UEN 198905395E.
>
> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
> Singapore with UEN 199702967E.
>
> Ernst & Young Risk Advisory Services Pte. Ltd. is a company incorporated in
> Singapore with UEN 200202390R.
>
> Ernst & Young Customs & International Trade Services Private Limited is a
> company incorporated in Singapore with UEN 200206660G.
>
>                                                                            
>              Wong Onn Chee                                                 
>              <ocwong at usa.net>                                              
>              Sent by:                                                   To 
>              owasp-singapore-b         security-77 at meetup.com,             
>              ounces at lists.owas         owasp-singapore at lists.owasp.org     
>              p.org                                                      cc 
>                                                                            
>                                                                    Subject 
>              28/05/2009 10:59          Re: [Owasp-singapore] [security-77] 
>              PM                        Is Opera web browser being too      
>                                        strict in this case?                
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>
>
>
>
> Thanks for the update, Ryan.
>
> However, other browsers, such as FF and IE, seem to accept such short
> key length as ok.
>
> There seems to be no standard treatment of what is deemed as
> insufficient and what is sufficient encryption between browsers.
>
> Will like to hear the feedback from the group regarding this.
>
> Regards
> Onn Chee
>
>
> Ryan Koh wrote:
>   
>> Hi,
>>
>> Its not the TLSv1 that Opera has an issue with, its because the 512
>> bit public key is too short.
>>
>> Regards,
>> Ryan
>>
>> Wong Onn Chee wrote:
>>     
>>> Hi folks,
>>>
>>> I did an online payment recently via my non-default web browser, Opera,
>>> and I encountered the attached pop-up warning.
>>>
>>> Seems like Opera feels that TLSv1 is weak.
>>>
>>> Any one care to enlighten me why?
>>>
>>> Thanks.
>>>
>>> Regards
>>> Onn Chee
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to everyone
>>>       
> on this mailing list (security-77 at meetup.com)
>   
>>> http://security.meetup.com/77/
>>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The
>>>       
> Singapore Security Meetup Group.
>   
>>> To learn more about Wong Onn Chee, visit his/her member profile:
>>>       
> http://security.meetup.com/77/members/1756147/
>   
>>> To unsubscribe or to update your mailing list settings, click here:
>>>       
> http://www.meetup.com/account/comm/
>   
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>       
>>
>>
>>
>> --
>> Please Note: If you hit "*REPLY*", your message will be sent to
>> *everyone* on this mailing list (security-77 at meetup.com
>> <mailto:security-77 at meetup.com>)
>> This message was sent by Ryan Koh (ryan at c26labs.com) from The
>> Singapore Security Meetup Group <http://security.meetup.com/77/>.
>> To learn more about Ryan Koh, visit his/her member profile
>> <>http://security.meetup.com/77/members/9062810/>
>> To unsubscribe or to update your mailing list settings, click here
>> <http://www.meetup.com/account/comm/>
>>
>> Meetup Support: support at meetup.com
>> 632 Broadway, New York, NY 10012 USA
>> ------------------------------------------------------------------------
>>
>>     
>
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>
>
>
>
>   



More information about the Owasp-singapore mailing list