Domainz, and "outdated encryption methods"

Discussion in 'NZ Computing' started by Steve Marshall, Jun 17, 2005.

  1. I went to the Domainz homepage www.domainz.net.nz
    and logged in to manage a domain -
    http://www.domainz.net.nz/Domainz.asp#

    At that point, my browser, Opera 8.01, threw up a warning message:

    ---------------------------------------
    Low Encryption Level
    This site is using an outdated encryption method currently classified
    as insecure. It cannot sufficiently protect sensitive data. Do you
    wish to continue?
    www.domainz.net.nz
    view / accept /install / cancel / help
    ---------------------------------------

    Well, no, not if you put it that way...

    When I clicked "View", I got the following information:

    ---------------------------------------
    Certificate name

    www.domainz.net.nz
    Domainz Ltd
    Domainz Ltd
    Wellington
    Wellington, NZ

    Issuer

    Thawte Server CA
    Thawte Consulting cc
    Certification Services Division
    Cape Town
    Western Cape, ZA
    emailAddress:

    Details

    https://www.domainz.net.nz/Facility/Login/ssl/Login.asp
    Connection : TLS v1.0 128 bit C4 (RSA/MD5)

    Certificate version: 3
    Serial number: 4102626
    Not valid before: Sep 15 04:55:43 2004 GMT
    Not valid after: Sep 15 04:55:43 2005 GMT
    Fingerprint : (MD5) 0D CC 9A FE DD 4C F0 4A 96 B8 8B FD F5 A4 17 F6
    Fingerprint : (SHA-1) 2E 0A 9B 10 D5 CC BD 0D B4 00 2C 8D 5C 25 96 C4
    B1 11 19 8F

    Public key algorithm : rsaEncryption
    Public-Key (512 bit):
    Modulus:
    00: 79 CB 70 DE 5C 33 9B 35 1F 48 AE 2D E0 B6 CF B1
    10: 09 08 C3 11 41 D7 FD DF AC 9D 95 11 E2 D6 94 27
    20: 41 93 C7 8F 71 72 C4 BD C2 20 44 86 EF D5 F4 11
    30: FD C6 39 33 4A 70 DE 67 30 AA 7E DB F1 86 A1 96

    Exponent:
    01 00 01

    Signature algorithm : md5WithRSAEncryption

    00: 9C BA F6 F4 3A C8 9E 6C C1 8F 9D F8 A2 2F 90 6A
    10: 31 A4 FE 02 4F E5 8F 7C BB 8F 54 B1 35 30 70 86
    20: DD 66 14 23 12 DB 26 E7 E4 E2 9B 9F BE 70 15 21
    30: 1C B1 12 3D 94 4D DF C4 EB 8F 58 7E C7 BC 8C 09
    40: ED A1 91 65 2E 66 F3 C8 34 31 53 5B C4 BF 08 D6
    50: 24 E7 FA B0 CF 24 EF 39 D7 64 F8 65 6C E6 A9 C1
    60: D8 99 EF 8B 34 61 78 42 DC AB 3E E6 99 3A 7C E7
    70: DB 8D E3 6B FA 46 4E D9 E0 6C 63 0A 45 6C 5B A2

    Extensions:

    X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web
    Client Authentication
    X509v3 CRL Distribution Points:
    URI:http://crl.thawte.com/ThawteServerCA.crl
    Authority Information Access:
    OCSP - URI:http://ocsp.thawte.com
    X509v3 Basic Constraints (Critical): CA:FALSE
    ---------------------------------------

    I contacted Domainz by email and was told:

    ---------------------------------------
    "We do not feel that this is a major thread [sic] to yours or your
    clients sensitive information and you should feel happy in registering
    a domain name for them. It seems curious that we do not receive this
    comment from other customers and we do not experience it ourselves.
    I wonder if this has to do with the security settings on your own
    browser being set to a extremely high level and therefore this is what
    is expecting something of the same extreme level."
    ---------------------------------------

    I contacted a friend in the US who is a senior researcher for the
    managed security services team of a large organization (and that's as
    specific as I can get). His response was:

    ---------------------------------------
    They have a valid CRL and Thawte is a good CA.

    They're using a small key, 512 bits instead of 1024. They're also
    using MD5 and not SHA-1. It is cryptographically weaker than using
    SHA-1 and 1024, but it isn't mind-blowingly bad either. But nobody
    should be using a 512 bit key. I thought at first that it was their
    signing key, but their actual key is 512 bits.

    I would suggest you tell Domainz to read this:
    http://www.rsasecurity.com/rsalabs/node.asp?id=2004
    And then tell me that their key is safe.

    512 bit keys are cracked in weeks, and anything that was encrypted
    with that session is vulnerable. You should be using 1024bit keys for
    everything you want to keep protected until the year 2010. If you want
    things to be safe until 2030, you should be using 2048.

    To clarify: no financial information should trade hands using less
    than 1024 bits, preferably with SHA-1.
    ---------------------------------------

    Here's part of what Opera www.opera.com says about low encryption
    level sites:

    ---------------------------------------
    Why are RSA/Diffie-Heldman keys shorter than 900 bits not secure
    enough?

    RSA/DH keys are used to protect the encryption keys for all
    transactions with the server. If these keys are broken, all
    communication that has been exchanged with the server from the time
    the key was created will be fully available. An attacker will be able
    to modify the information exchanged between you and the server, and
    there is no way to detect such changes in the protocol.

    These keys are parts of the very foundation of the SSL and TLS
    protocols. Using a weak key weakens the entire system.
    What constitutes a weak key?

    Several years ago, a 512 bit RSA key was broken in 10-12 weeks (7-8
    months computing by night on a few hundred workstations). Today the
    same job could probably be done in less than 4 weeks. This means that
    keys of this length are not adequate protection for any information
    that needs to be kept secure for more than a few weeks.
    http://www.opera.com/support/search/supsearch.dml?index=798
    ---------------------------------------

    Any comments?
     
    Steve Marshall, Jun 17, 2005
    #1
    1. Advertising

  2. Steve Marshall

    Dave Taylor Guest

    Steve Marshall <> wrote in
    news::

    > Any comments?


    People still submit info to unencrypted pages and respond to spam, thank
    you for raising the bar a little.
    Keep up the good work.
    Perhaps a post to http://isc.sans.org/ will make things change?
    I think Firefox should have this feature too, I like it.
    Perhaps the problem lies with Thawte as a CA?

    --
    Ciao, Dave
     
    Dave Taylor, Jun 17, 2005
    #2
    1. Advertising

  3. Steve Marshall

    Rob Guest

    Domainz are now an Australian owned company. You should use a NZ owned
    domain registering company (they are cheaper to than domainz). Is is very
    easy to switch.


    "Steve Marshall" <> wrote in message
    news:...
    > I went to the Domainz homepage www.domainz.net.nz
    > and logged in to manage a domain -
    > http://www.domainz.net.nz/Domainz.asp#
    >
    > At that point, my browser, Opera 8.01, threw up a warning message:
    >
    > ---------------------------------------
    > Low Encryption Level
    > This site is using an outdated encryption method currently classified
    > as insecure. It cannot sufficiently protect sensitive data. Do you
    > wish to continue?
    > www.domainz.net.nz
    > view / accept /install / cancel / help
    > ---------------------------------------
    >
    > Well, no, not if you put it that way...
    >
    > When I clicked "View", I got the following information:
    >
    > ---------------------------------------
    > Certificate name
    >
    > www.domainz.net.nz
    > Domainz Ltd
    > Domainz Ltd
    > Wellington
    > Wellington, NZ
    >
    > Issuer
    >
    > Thawte Server CA
    > Thawte Consulting cc
    > Certification Services Division
    > Cape Town
    > Western Cape, ZA
    > emailAddress:
    >
    > Details
    >
    > https://www.domainz.net.nz/Facility/Login/ssl/Login.asp
    > Connection : TLS v1.0 128 bit C4 (RSA/MD5)
    >
    > Certificate version: 3
    > Serial number: 4102626
    > Not valid before: Sep 15 04:55:43 2004 GMT
    > Not valid after: Sep 15 04:55:43 2005 GMT
    > Fingerprint : (MD5) 0D CC 9A FE DD 4C F0 4A 96 B8 8B FD F5 A4 17 F6
    > Fingerprint : (SHA-1) 2E 0A 9B 10 D5 CC BD 0D B4 00 2C 8D 5C 25 96 C4
    > B1 11 19 8F
    >
    > Public key algorithm : rsaEncryption
    > Public-Key (512 bit):
    > Modulus:
    > 00: 79 CB 70 DE 5C 33 9B 35 1F 48 AE 2D E0 B6 CF B1
    > 10: 09 08 C3 11 41 D7 FD DF AC 9D 95 11 E2 D6 94 27
    > 20: 41 93 C7 8F 71 72 C4 BD C2 20 44 86 EF D5 F4 11
    > 30: FD C6 39 33 4A 70 DE 67 30 AA 7E DB F1 86 A1 96
    >
    > Exponent:
    > 01 00 01
    >
    > Signature algorithm : md5WithRSAEncryption
    >
    > 00: 9C BA F6 F4 3A C8 9E 6C C1 8F 9D F8 A2 2F 90 6A
    > 10: 31 A4 FE 02 4F E5 8F 7C BB 8F 54 B1 35 30 70 86
    > 20: DD 66 14 23 12 DB 26 E7 E4 E2 9B 9F BE 70 15 21
    > 30: 1C B1 12 3D 94 4D DF C4 EB 8F 58 7E C7 BC 8C 09
    > 40: ED A1 91 65 2E 66 F3 C8 34 31 53 5B C4 BF 08 D6
    > 50: 24 E7 FA B0 CF 24 EF 39 D7 64 F8 65 6C E6 A9 C1
    > 60: D8 99 EF 8B 34 61 78 42 DC AB 3E E6 99 3A 7C E7
    > 70: DB 8D E3 6B FA 46 4E D9 E0 6C 63 0A 45 6C 5B A2
    >
    > Extensions:
    >
    > X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web
    > Client Authentication
    > X509v3 CRL Distribution Points:
    > URI:http://crl.thawte.com/ThawteServerCA.crl
    > Authority Information Access:
    > OCSP - URI:http://ocsp.thawte.com
    > X509v3 Basic Constraints (Critical): CA:FALSE
    > ---------------------------------------
    >
    > I contacted Domainz by email and was told:
    >
    > ---------------------------------------
    > "We do not feel that this is a major thread [sic] to yours or your
    > clients sensitive information and you should feel happy in registering
    > a domain name for them. It seems curious that we do not receive this
    > comment from other customers and we do not experience it ourselves.
    > I wonder if this has to do with the security settings on your own
    > browser being set to a extremely high level and therefore this is what
    > is expecting something of the same extreme level."
    > ---------------------------------------
    >
    > I contacted a friend in the US who is a senior researcher for the
    > managed security services team of a large organization (and that's as
    > specific as I can get). His response was:
    >
    > ---------------------------------------
    > They have a valid CRL and Thawte is a good CA.
    >
    > They're using a small key, 512 bits instead of 1024. They're also
    > using MD5 and not SHA-1. It is cryptographically weaker than using
    > SHA-1 and 1024, but it isn't mind-blowingly bad either. But nobody
    > should be using a 512 bit key. I thought at first that it was their
    > signing key, but their actual key is 512 bits.
    >
    > I would suggest you tell Domainz to read this:
    > http://www.rsasecurity.com/rsalabs/node.asp?id=2004
    > And then tell me that their key is safe.
    >
    > 512 bit keys are cracked in weeks, and anything that was encrypted
    > with that session is vulnerable. You should be using 1024bit keys for
    > everything you want to keep protected until the year 2010. If you want
    > things to be safe until 2030, you should be using 2048.
    >
    > To clarify: no financial information should trade hands using less
    > than 1024 bits, preferably with SHA-1.
    > ---------------------------------------
    >
    > Here's part of what Opera www.opera.com says about low encryption
    > level sites:
    >
    > ---------------------------------------
    > Why are RSA/Diffie-Heldman keys shorter than 900 bits not secure
    > enough?
    >
    > RSA/DH keys are used to protect the encryption keys for all
    > transactions with the server. If these keys are broken, all
    > communication that has been exchanged with the server from the time
    > the key was created will be fully available. An attacker will be able
    > to modify the information exchanged between you and the server, and
    > there is no way to detect such changes in the protocol.
    >
    > These keys are parts of the very foundation of the SSL and TLS
    > protocols. Using a weak key weakens the entire system.
    > What constitutes a weak key?
    >
    > Several years ago, a 512 bit RSA key was broken in 10-12 weeks (7-8
    > months computing by night on a few hundred workstations). Today the
    > same job could probably be done in less than 4 weeks. This means that
    > keys of this length are not adequate protection for any information
    > that needs to be kept secure for more than a few weeks.
    > http://www.opera.com/support/search/supsearch.dml?index=798
    > ---------------------------------------
    >
    > Any comments?
     
    Rob, Jun 18, 2005
    #3
  4. "Rob" wrote:

    >Domainz are now an Australian owned company.


    Yes, MelbourneIt

    > You should use a NZ owned
    >domain registering company (they are cheaper to than domainz). Is is very
    >easy to switch.


    I agree. The .nz TLD domain I've registered - ncag.org.nz - is with
    1stDomains, and I've been very happy with the service and the price.
    That domain is hosted offshore with LunarPages, because I got a much
    better price for hosting there.

    I'm forced to deal with Domainz because that's what the client chose,
    but the client will be pulling out of Domainz when the contract ends.

    What surprises me is that the Domainz slogan is,"The Name You Trust".
    Perhaps Domainz relies on the slogan for security?

    cheers
    Steve
     
    Steve Marshall, Jun 18, 2005
    #4
  5. Steve Marshall, Jun 23, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chuck S
    Replies:
    5
    Views:
    796
    fluffy bunny
    Jul 1, 2003
  2. (=?iso-8859-1?Q?=AF=60=B7=2E=2E=2E=F8=A4=B0=60=B0=

    Astrology and Biorhythms and Numerology and Tarot 2000 - 2003

    (=?iso-8859-1?Q?=AF=60=B7=2E=2E=2E=F8=A4=B0=60=B0=, Oct 7, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    1,431
    (=?iso-8859-1?Q?=AF=60=B7=2E=2E=2E=F8=A4=B0=60=B0=
    Oct 7, 2003
  3. John

    Domainz website

    John, Jul 6, 2004, in forum: NZ Computing
    Replies:
    4
    Views:
    340
    Collector_NZ
    Jul 6, 2004
  4. Boppy
    Replies:
    4
    Views:
    367
    Gordon
    Nov 1, 2008
  5. NZ domainz got hacked?

    , May 12, 2009, in forum: NZ Computing
    Replies:
    22
    Views:
    1,144
Loading...

Share This Page