XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Fwd: [e-lang] Protocol implementation errors

  • To: <xml-dev@l...>
  • Subject: Fwd: [e-lang] Protocol implementation errors
  • From: Tyler Close <tyler@w...>
  • Date: Thu, 2 Oct 2003 23:24:33 -0400
dean tribble
Play the video
Given how the OpenSSL hackers have fared with ASN.1, letting web
service hackers muck about with ASN.1 seems like a poor idea.

Definitely an issue that must be addressed by those advocating use
of ASN.1 as a binary encoding of the XML Infoset.

Tyler

----------  Forwarded Message  ----------

Subject: [e-lang] Protocol implementation errors
Date: Thu, 2 Oct 2003 14:50:21 -0700
From: Bill Frantz <frantz@p...>
To: cryptography@m...
Cc: e-lang@m...

From:
>                 -- Security Alert Consensus --
>                       Number 039 (03.39)
>                  Thursday, October 2, 2003
>            Network Computing and the SANS Institute
>                      Powered by Neohapsis
>
>*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
>
>OpenSSL versions 0.9.6j and 0.9.7b (as well as prior) contain multiple
>bugs in the parsing of ASN.1 data, leading to denials of services. The
>execution of arbitrary code is not yet confirmed, but it has not been
>ruled out.

This is the second significant problem I have seen in applications that use
ASN.1 data formats.  (The first was in a widely deployed implementation of
SNMP.)  Given that good, security conscience programmers have difficultly
getting ASN.1 parsing right, we should favor protocols that use easier to
parse data formats.

I think this leaves us with SSH.  Are there others?

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz        | "There's nothing so clear as   | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032


_______________________________________________
e-lang mailing list
e-lang@m...
http://www.eros-os.org/mailman/listinfo/e-lang

-------------------------------------------------------

-- 
The union of REST and capability-based security:
http://www.waterken.com/dev/Web/

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.