[Owasp-singapore] [security-77] Is Opera web browser being too strict in this case?

fs chan chanfs16 at gmail.com
Sun May 31 08:10:33 EDT 2009


Hi


I would like to inform you guys and gals a tool I created recently for
checking the strength of a SSL enabled web server. It is similar to
SSL Digger from Founstone.

You can download it from http://code.google.com/p/libre-tools/

All suggestions and feedback are welcome!


:)
chan fook sheng




On Fri, May 29, 2009 at 10:47 AM, Wong Onn Chee <ocwong at usa.net> wrote:
> Thanks for the insight, Winston.
>
> This weak encryption is being used by the IRAS payment vendor for
> e-payment of taxes.
>
> Any one in the group who knows the person(s) responsible in IRAS?
> We need to inform them asap.
>
> *Sign* Another case of SG Govt agency being short-changed by their
> outsourced vendor beside the one I reported previously.
> I don't find it amusing that govt vendors keep short-changing basic
> security at the expense of taxpayers.
>
> Martin, can you help inform IRAS about this?
>
>
> Winston.Leong at sg.ey.com wrote:
>> Looks like someone else has replied. In any case, the reason why Opera
>> behaves so is summaries as follows:
>>
>> This dialog will pop up if:
>>
>>
>> �     SSL v2
>> �     Encryption methods using 40 or 56 bit keys
>> �     Key exchange performed using RSA or Diffie-Hellman (DH) keys less
>> than 900 bits long. (Keys less than 1020 bits long will reduce the security
>> level by one point).
>>
>> RSA/DH keys shorter than 900 bits
>>
>>
>> These keys are used to protect the encryption keys for all transactions
>> with the server, if these keys are broken all communcition that has been
>> exchanged with the server from the time the key was created until it is
>> replaced sometime in the future is a wide open book. And that is not all:
>> Once these keys are broken an attacker can modify the information exchanged
>> between you and the server, and there is no way to detect such changes in
>> the protocol! The only way to find out is to check the information you have
>> with the information available at the server, and that checking must be
>> done in a different fashion since you cannot trust the protocol for such
>> audits.
>>
>>
>> Several years ago a 512 bit RSA key was broken in, effectively, 10-12 weeks
>> (they used 7-8 months computing by night on a few hundred workstations).
>> Today the same job could probably be done in less than 4 weeks, possibly
>> much less depending on how many computers you throw at it, and other
>> improvements in the art of factoring large numbers). Since such a key is
>> usually used for at least one year that means that keys of this length was
>> no longer adequate protection for any information that needed to be kept
>> secure for more than a few weeks.
>>
>>
>> With 8-cores desktops nowadays, script kiddies can probably do it within a
>> fortnight.
>>
>>
>>
>>
>>
>> The information contained in this communication is intended solely for the
>> use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. We are neither liable for the proper and complete transmission of
>> the information contained in this communication nor for any delay in its
>> receipt.
>>
>> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
>> liability partnership registered in Singapore under the Limited Liability
>> Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
>> firm to a limited liability partnership.
>>
>> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
>> liability partnership registered in Singapore under the Limited Liability
>> Partnerships Act (Chapter 163A).
>>
>> Ernst & Young Associates Pte Ltd is a company incorporated in Singapore
>> with UEN 198905395E.
>>
>> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
>> Singapore with UEN 199702967E.
>>
>> Ernst & Young Risk Advisory Services Pte. Ltd. is a company incorporated in
>> Singapore with UEN 200202390R.
>>
>> Ernst & Young Customs & International Trade Services Private Limited is a
>> company incorporated in Singapore with UEN 200206660G.
>>
>>
>>              Wong Onn Chee
>>              <ocwong at usa.net>
>>              Sent by:                                                   To
>>              owasp-singapore-b         security-77 at meetup.com,
>>              ounces at lists.owas         owasp-singapore at lists.owasp.org
>>              p.org                                                      cc
>>
>>                                                                    Subject
>>              28/05/2009 10:59          Re: [Owasp-singapore] [security-77]
>>              PM                        Is Opera web browser being too
>>                                        strict in this case?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thanks for the update, Ryan.
>>
>> However, other browsers, such as FF and IE, seem to accept such short
>> key length as ok.
>>
>> There seems to be no standard treatment of what is deemed as
>> insufficient and what is sufficient encryption between browsers.
>>
>> Will like to hear the feedback from the group regarding this.
>>
>> Regards
>> Onn Chee
>>
>>
>> Ryan Koh wrote:
>>
>>> Hi,
>>>
>>> Its not the TLSv1 that Opera has an issue with, its because the 512
>>> bit public key is too short.
>>>
>>> Regards,
>>> Ryan
>>>
>>> Wong Onn Chee wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I did an online payment recently via my non-default web browser, Opera,
>>>> and I encountered the attached pop-up warning.
>>>>
>>>> Seems like Opera feels that TLSv1 is weak.
>>>>
>>>> Any one care to enlighten me why?
>>>>
>>>> Thanks.
>>>>
>>>> Regards
>>>> Onn Chee
>>>>
>>>>
>>>>
>>>> --
>>>> Please Note: If you hit "REPLY", your message will be sent to everyone
>>>>
>> on this mailing list (security-77 at meetup.com)
>>
>>>> http://security.meetup.com/77/
>>>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The
>>>>
>> Singapore Security Meetup Group.
>>
>>>> To learn more about Wong Onn Chee, visit his/her member profile:
>>>>
>> http://security.meetup.com/77/members/1756147/
>>
>>>> To unsubscribe or to update your mailing list settings, click here:
>>>>
>> http://www.meetup.com/account/comm/
>>
>>>> Meetup Support: support at meetup.com
>>>> 632 Broadway, New York, NY 10012 USA
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "*REPLY*", your message will be sent to
>>> *everyone* on this mailing list (security-77 at meetup.com
>>> <mailto:security-77 at meetup.com>)
>>> This message was sent by Ryan Koh (ryan at c26labs.com) from The
>>> Singapore Security Meetup Group <http://security.meetup.com/77/>.
>>> To learn more about Ryan Koh, visit his/her member profile
>>> <>http://security.meetup.com/77/members/9062810/>
>>> To unsubscribe or to update your mailing list settings, click here
>>> <http://www.meetup.com/account/comm/>
>>>
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>> ------------------------------------------------------------------------
>>>
>>>
>>
>> _______________________________________________
>> Owasp-singapore mailing list
>> Owasp-singapore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>>
>>
>>
>>
>>
>
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>


More information about the Owasp-singapore mailing list