top | item 9985908

(no title)

> You have probably never used a crypto tool that used either Dual_EC or extended-random, for what it's worth.

Dual_EC was default PRNG in BSAFE-SSL-C for almost a decade. Shodan matched 1700 banners from this time, online now. The chance that a person interacted with a https service in that time is quite high I would think.

discuss

tptacek|10 years ago

All of these banners are from the "Red Hat Secure Web Server". I don't know what that is, but someone else here might.

I'd be interested in finding out more about Red Hat Secure Server:

* It switched from OpenSSL to BSAFE-C in/around 2000

* RSA defaulted BSAFE to Dual_EC in 2004

* The last release I can see for Red Hat Secure Web Server is in 2003

* Red Hat Secure Web Server is EOL'd now.

A helpful Twitter points out this mailing list post from 2003:

http://blog.gmane.org/gmane.linux.redhat.security.server

... in which it's stated that Red Hat Secure Web Server had been EOL for some time.

It's looking more likely that those Shodan banners are not TLS implementations with Dual_EC defaults.

MiWDesktopHack|10 years ago

Hi Thomas,

Thank for following this up. I think you are right. RH SWS was EOL before the Dual_EC default switch was made. If the only public banners for this product are from before this time, I will conceed that DUAL_EC likely never saw use on the Public Internet.

Pls unblock me on twitter ;-)