Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:37:34 JST Ryan Castellucci :nonbinary_flag:

   LOL never trust the output of openssl x509 -noout -text

   You can stuff arbitrary printable ascii including newlines into random extensions as raw data and it'll just display it.

   https://gist.githubusercontent.com/ryancdotorg/73f298821f57b56ec328181dfa9b9ade/raw/37444b84684315b19ef50f85d4453663cfafeb96/nsa.test.pem

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:39:30 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     I can stuff a text representation of an entire other certificate in there....

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:41:11 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     No CAs just copy the value of harmless deprecated extensions, right?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:43:21 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     Obviously I tried ANSI escape sequences, which didn't work.

   • Embed this notice
     Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 18-May-2024 05:13:54 JST Sophie Schmieg

     in reply to

     @ryanc

     Never trust […] x509.

     Fixed that for you.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:19:26 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg

     @sophieschmieg never trust

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:27:32 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg

     @sophieschmieg btw shodan dumps certificates using openssl x509 -text

   • Embed this notice
     Paul_IPv6 (paul_ipv6@infosec.exchange)'s status on Saturday, 18-May-2024 05:33:42 JST Paul_IPv6

     in reply to

     @ryanc

     never trust anything that claims it can parse ASN.1.

     any syntax standard that is supposed to be clear and unambiguous but whose very name is Abstract is just a bad idea. :)

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:49:38 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Nicolas SAPA

     @nico Perhaps, but GnuTLS has significantly more security bugs in it than OpenSSL.

   • Embed this notice
     Nicolas SAPA (nico@ublog.byme.at)'s status on Sunday, 19-May-2024 18:49:42 JST Nicolas SAPA

     in reply to
     @ryanc certtool from gnutls show "Unknown extension 2.16.840.1.113730.1.1 (not critical):" and remove the newline.
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:50:58 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • waldi

     @waldi Making a CA do a lot of paperwork for the next few weeks sounds fun, especially if it's Sectigo.

   • Embed this notice
     waldi (waldi@chaos.social)'s status on Sunday, 19-May-2024 18:50:59 JST waldi

     in reply to

     @ryanc No, CA governed by CA/Browser forum will not just copy sections. Or they will have to do a lot of paperwork for the next weeks.