|
|
 |
| New User, Welcome! Login |
Re: [Full-disclosure] Ubuntu: reseed(8), random.org, and HTTP request
| From: |
coderman <coderman gmail com> |
| To: |
noloader gmail com |
| Cc: |
Full Disclosure <full-disclosure lists grok org uk>, BugTraq <bugtraq securityfocus com> |
| Subject: |
Re: [Full-disclosure] Ubuntu: reseed(8), random.org, and HTTP request |
| Date: |
Wed - Jul 06, 2011 12:49 AM |
On Tue, Jul 5, 2011 at 9:04 PM, Jeffrey Walton <noloader@gmail.com> wrote:
> Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The
> script is run when the package installed, and anytime su executes the
> script.
... someone thought this was a good idea.
[an entropy pool remotely biased by MitM attacker, maybe?]
> reseed(8) performs a unsecured HTTP request to random.org for its
> bits, despite random.org offering HTTPS services.
https doesn't help if your host entropy pool is poorly seeded.
[SSL/TLS needs entropy for authenticity/privacy.]
> The Ubuntu Security Team took no interest when contacted by email (no
> reply); the point of contact listed in the man pages took no interest
> when contacted by email (no reply); and a launcher bug report was not
> acted upon (https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594).
you're surprised?
[you must be new around here!]
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
