[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Security today

That might be the case for box products.

$ openssl s_client -connect www.microsoft.com:443 -tls1
CONNECTED(00000003)
depth=2 /CN=Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 s:/C=US/ST=washington/L=Redmond/O=Microsoft/OU=mscom/CN=www.microsoft.com
    i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure  
Server Authority
  1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure  
Server Authority
    i:/CN=Microsoft Internet Authority
  2 s:/CN=Microsoft Internet Authority
    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE  
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgIKPuTDHAAEAACvkDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMjEy
MTgyNTE4WhcNMDkwMjExMTgyNTE4WjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
d2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0
MQ4wDAYDVQQLEwVtc2NvbTEaMBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbG21smSr8rN+qJ5al2ml5BaPlBnyuK
gN6KOS8TGTde496kil72zBF70sgRhQCERNNAiH0XaNWbDSqXcoxySOQhhW4PJ9P3
OfSNQMBbG+8tVFsyk12cZZSQGK7iE6Wy1mAvsbZ0K1iCvg5DceSDRgc7sggKcVi5
ZyS4wRwIlgI1AgMBAAGjggMkMIIDIDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwIC
AgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsG
CWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYD
VR0OBBYEFIfqPJz0gndqvXIFZOP8H0+b2XKBMB8GA1UdIwQYMBaAFJmPpfcegW/6
ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21z
Y3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2Vj
dXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNy
b3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNl
cnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNy
b3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/Bggr
BgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQu
Y29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0
aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01p
Y3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJ
KwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8Lt
hQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAztULGfaAxeoGZbbViAVMtaPkMHaoN
wGzhw4ePcWqSvDKnl9yLpbAsl7T+w4bbeJotXCl89Ri+G4Mbfo3wzcDfStM66qcR
zGnEpiESh7cUZhUrxo+Iu+Ptn3pR/ub3uv8/WwF+KK6UUP+uhVMyxPT2LaGWgBSd
9/8qtngpMAbQVKnm4D8uQrcOa4Yqnjk6F2nNFCqd1Fl6yk5vxcfHD0YEcUNnC9SL
yBRmzNKsCh0d6rFaeLDBvkVjPZ7HQkWoJ/JdBBCLRvpE+1CGKVEmj69wK+n5uZ/Z
O46yGLxJwx62Vxdqno2D57R52VRx2c3ec5t5M2HUy6+K5W73BO0+hGKh
-----END CERTIFICATE-----
subject=/C=US/ST=washington/L=Redmond/O=Microsoft/OU=mscom/CN=www.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure  
Server Authority
---
No client certificate CA names sent
---
SSL handshake has read 4078 bytes and written 284 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES128-SHA
     Session-ID:  
531400000548600BCAE3CC4838956A1C3050A9CF2F0B201FD2CBEA4E9F473AB0
     Session-ID-ctx:
     Master-Key:  
2700AA7DF91BEA3B007FE14D3B2289ED0F5041E99044410A6A4B8A657E916D21451B738AEFA68992EB24E8B19A0A9E30
     Key-Arg   : None
     Start Time: 1206754788
     Timeout   : 7200 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
---
DONE
$


On Mar 27, 2008, at 8:31 PM, Michael Howard wrote:
> Fwiw, at Microsoft we mandate the use of "strong crypto" and that  
> includes ciphersuites and bit lengths. In the case of RSA, 2048  
> minimum, and the only time 1024 is allowed is for backward compat,  
> and that has to be signed off by the crypto board (Ferguson,  
> LaMacchia, Benoloh et al)
>
> Cheers, Michael
> Writing Secure Code for Windows Vista: http://www.microsoft.com/MSPress/books/10723.aspx
> SDL Book: http://www.microsoft.com/MSPress/books/8753.asp
> Blog: http://blogs.msdn.com/michael_howard/
>
>
> -----Original Message-----
> From: tls-bounces@xxxxxxxx [mailto:tls-bounces@xxxxxxxx] On Behalf  
> Of Mike
> Sent: Thursday, March 27, 2008 9:28 PM
> To: tls@xxxxxxxx
> Subject: Re: [TLS] Security today
>
> Michael Howard wrote:
>> I think there is a deeper issue than this - people email
>> sensitive data all the time with no encryption...
>
> Yes, email security is problematic, but users have to do
> a lot of manual configuration even to get set up for it.
> And then, they need to convince their correspondents to
> set up their system too.
>
> With HTTPS, the infrastructure is already there, and it's
> being used.  The problem is with server configuration:
> key size, cipher suite selection.  If servers were simply
> better configured, security would automatically improve.
> Users wouldn't have to do anything differently; those
> who we rely on for security are failing us!
>
> Mike
>
> P.S. and there's nothing you or I can do about it as a
> user -- we can't influence the key sizes or cipher suites
> offered by a server -- it's either take it or leave it.
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls