Now, the question is how does that affect verification of the signature from the parent? Anyway, file this in the "custom parameters are evil" pile.
-
-
Prikaži ovu nit
-
I am home sick with the flu, and can't immediately decide if that's the best or the worst time for a catastrophic crypto vulnerability to drop.
Prikaži ovu nit -
This is it for the fun part: if you can pick the parameters, you can pick a curve for which you know the private key of arbitrary public keys. The validation fail is still unclear, when does the library accept untrusted params for a trusted public key?https://twitter.com/Dennis__Jackson/status/1217155490205065217 …
Prikaži ovu nit -
Yep, ok, looks like the attack is changing the generator of the curve so you know the private key, and then confuse the validator by providing an alternative root (?) with the same public key but poisoned parameters.pic.twitter.com/6E2rLnwZEW
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Custom curve? This is even scarier.. who handle custom curves out there :D?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Suspect its in the parsing of the cert. Attacker adds an additional curve description. Signature validation uses the honest curve description, public key is instantiated with the malicious one.https://twitter.com/Dennis__Jackson/status/1217156342345076737 …
- Još 1 odgovor
Novi razgovor -
-
-
If the Pentagon contract awarded to Microsoft is going to use Windows, the future of responsible disclosure is going to be rather eventful.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Ya looks like this may be a verification issue. I'll be curious to see how badly Microsoft screwed this up. https://news.ycombinator.com/item?id=22048619 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Pardon the ignorance, but what's a certificate curve?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.