[Owasp-singapore] [security-77] Is Opera web browser being too strict in this case?

Donald Ong donald.ong at gmail.com
Fri May 29 07:59:20 EDT 2009


Hi,

It will be good if IRAS internally review their web application in term security annually. It is 1 of the requirement from PCI.

I've notice many govt agency don't care much abt their web application once it launch live. That is a sad case.


Regards,
Donald

Wong Onn Chee <ocwong at usa.net> wrote:

>Thanks for the insight, Winston.
>
>This weak encryption is being used by the IRAS payment vendor for
>e-payment of taxes.
>
>Any one in the group who knows the person(s) responsible in IRAS?
>We need to inform them asap.
>
>*Sign* Another case of SG Govt agency being short-changed by their
>outsourced vendor beside the one I reported previously.
>I don't find it amusing that govt vendors keep short-changing basic
>security at the expense of taxpayers.
>
>Martin, can you help inform IRAS about this?
>
>
>Winston.Leong at sg.ey.com wrote:
>> Looks like someone else has replied. In any case, the reason why Opera
>> behaves so is summaries as follows:
>>
>> This dialog will pop up if:
>>
>>
>> �     SSL v2
>> �     Encryption methods using 40 or 56 bit keys
>> �     Key exchange performed using RSA or Diffie-Hellman (DH) keys less
>> than 900 bits long. (Keys less than 1020 bits long will reduce the security
>> level by one point).
>>
>> RSA/DH keys shorter than 900 bits
>>
>>
>> These keys are used to protect the encryption keys for all transactions
>> with the server, if these keys are broken all communcition that has been
>> exchanged with the server from the time the key was created until it is
>> replaced sometime in the future is a wide open book. And that is not all:
>> Once these keys are broken an attacker can modify the information exchanged
>> between you and the server, and there is no way to detect such changes in
>> the protocol! The only way to find out is to check the information you have
>> with the information available at the server, and that checking must be
>> done in a different fashion since you cannot trust the protocol for such
>> audits.
>>
>>
>> Several years ago a 512 bit RSA key was broken in, effectively, 10-12 weeks
>> (they used 7-8 months computing by night on a few hundred workstations).
>> Today the same job could probably be done in less than 4 weeks, possibly
>> much less depending on how many computers you throw at it, and other
>> improvements in the art of factoring large numbers). Since such a key is
>> usually used for at least one year that means that keys of this length was
>> no longer adequate protection for any information that needed to be kept
>> secure for more than a few weeks.
>>
>>
>> With 8-cores desktops nowadays, script kiddies can probably do it within a
>> fortnight.
>>
>>
>>
>>
>>
>> The information contained in this communication is intended solely for the
>> use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. We are neither liable for the proper and complete transmission of
>> the information contained in this communication nor for any delay in its
>> receipt.
>>
>> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
>> liability partnership registered in Singapore under the Limited Liability
>> Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
>> firm to a limited liability partnership.
>>
>> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
>> liability partnership registered in Singapore under the Limited Liability
>> Partnerships Act (Chapter 163A).
>>
>> Ernst & Young Associates Pte Ltd is a company incorporated in Singapore
>> with UEN 198905395E.
>>
>> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
>> Singapore with UEN 199702967E.
>>
>> Ernst & Young Risk Advisory Services Pte. Ltd. is a company incorporated in
>> Singapore with UEN 200202390R.
>>
>> Ernst & Young Customs & International Trade Services Private Limited is a
>> company incorporated in Singapore with UEN 200206660G.
>>
>>                                                                            
>>              Wong Onn Chee                                                 
>>              <ocwong at usa.net>                                              
>>              Sent by:                                                   To 
>>              owasp-singapore-b         security-77 at meetup.com,             
>>              ounces at lists.owas         owasp-singapore at lists.owasp.org     
>>              p.org                                                      cc 
>>                                                                            
>>                                                                    Subject 
>>              28/05/2009 10:59          Re: [Owasp-singapore] [security-77] 
>>              PM                        Is Opera web browser being too      
>>                                        strict in this case?                
>>                                                                            
>>                                                                            
>>                                                                            
>>                                                                            
>>                                                                            
>>                                                                            
>>
>>
>>
>>
>> Thanks for the update, Ryan.
>>
>> However, other browsers, such as FF and IE, seem to accept such short
>> key length as ok.
>>
>> There seems to be no standard treatment of what is deemed as
>> insufficient and what is sufficient encryption between browsers.
>>
>> Will like to hear the feedback from the group regarding this.
>>
>> Regards
>> Onn Chee
>>
>>
>> Ryan Koh wrote:
>>   
>>> Hi,
>>>
>>> Its not the TLSv1 that Opera has an issue with, its because the 512
>>> bit public key is too short.
>>>
>>> Regards,
>>> Ryan
>>>
>>> Wong Onn Chee wrote:
>>>     
>>>> Hi folks,
>>>>
>>>> I did an online payment recently via my non-default web browser, Opera,
>>>> and I encountered the attached pop-up warning.
>>>>
>>>> Seems like Opera feels that TLSv1 is weak.
>>>>
>>>> Any one care to enlighten me why?
>>>>
>>>> Thanks.
>>>>
>>>> Regards
>>>> Onn Chee
>>>>
>>>>
>>>>
>>>> --
>>>> Please Note: If you hit "REPLY", your message will be sent to everyone
>>>>       
>> on this mailing list (security-77 at meetup.com)
>>   
>>>> http://security.meetup.com/77/
>>>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The
>>>>       
>> Singapore Security Meetup Group.
>>   
>>>> To learn more about Wong Onn Chee, visit his/her member profile:
>>>>       
>> http://security.meetup.com/77/members/1756147/
>>   
>>>> To unsubscribe or to update your mailing list settings, click here:
>>>>       
>> http://www.meetup.com/account/comm/
>>   
>>>> Meetup Support: support at meetup.com
>>>> 632 Broadway, New York, NY 10012 USA
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>       
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "*REPLY*", your message will be sent to
>>> *everyone* on this mailing list (security-77 at meetup.com
>>> <mailto:security-77 at meetup.com>)
>>> This message was sent by Ryan Koh (ryan at c26labs.com) from The
>>> Singapore Security Meetup Group <http://security.meetup.com/77/>.
>>> To learn more about Ryan Koh, visit his/her member profile
>>> <>http://security.meetup.com/77/members/9062810/>
>>> To unsubscribe or to update your mailing list settings, click here
>>> <http://www.meetup.com/account/comm/>
>>>
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>> ------------------------------------------------------------------------
>>>
>>>     
>>
>> _______________________________________________
>> Owasp-singapore mailing list
>> Owasp-singapore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>>
>>
>>
>>
>>   
>
>_______________________________________________
>Owasp-singapore mailing list
>Owasp-singapore at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-singapore


More information about the Owasp-singapore mailing list