CVE-2008-3280

Summary

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs.

Affected Software

VendorProductVersion RangeStatus
n/aopenidunknownaffected

Weaknesses

  • CWE-338: CWE-338

ADP Enrichment

CVE Program Container

Additional References

References