[Openvas-discuss] Private or Corporate CAs

Reindl Harald h.reindl at thelounge.net
Tue Apr 10 17:16:43 CEST 2018

Am 10.04.2018 um 17:12 schrieb Alex Smirnoff:
> Could you elaborate an attack scenario that depends on root certificate
> signature?
> The job of security scanner is not to point at any shit, it is to point
> at dangerous shit.

it's job is to point out shit which would lead to not survive a external
security audit where you get simply fired when you argue like that so
that you can fix your crap before

in the time you are complaining here instead make the needed overrides
you could have replaced your crap all over the infrastructure easily

and if it's not doable in that time your infrastructure is crap because
nobody gave a shit thinking about automated certificate replacement /

> On Mon, Apr 09, 2018 at 10:26:54AM +0200, Reindl Harald wrote:
>> jesus add a override and you are done
>> MD5/SHA1 certificates are shit and it's th ejob of a security scanner to
>> point that out - for anything which you don't want to see local
>> overrides are the way to go
>> Am 07.04.2018 um 18:32 schrieb Alex Smirnoff:
>>> Huh?
>>> It is relevant. But it is irrelevant for anything that is self-signed.
>>> Isn't it obvious?
>>> On Thu, Mar 29, 2018 at 08:41:25PM +0200, Reindl Harald wrote:
>>>> Am 29.03.2018 um 20:29 schrieb Alex Smirnoff:
>>>>> Could you elaborate, exactly how weak hash could matter for self-signed
>>>>> certificate? Without vague references like "if you don't want to trust
>>>>> the NSA and NIST". I do not see any of those organisations stating that
>>>>> weak hash is dangerous for a situation where signature itself is
>>>>> irrelevant
>>>> if the signature is irrelevant why do you use https at all?
>>>> WTF!
>>>> there is no technical difference between your self-signed stuff or
>>>> certificates signed by a public CA except that you *one time* need to make
>>>> an exception in the client

More information about the Openvas-discuss mailing list