[WEB SECURITY] websecurity Digest, Vol 11, Issue 5

Elie Bursztein elie at elie.im
Sun Nov 6 23:50:20 EST 2011


>From a pragmatic point of view the only time where weakness makes sense is when you speak of crypto to describe a flaw that is not a break.
In this case the term weakness have a precise  meaning: 
A crypto algorithm have a weakness if and only if it exists an attack which allows an attacker to recover the key (or plain text) in less operations than what was intended while designing the system.

For example: Oracle padding attacks, WEP key, SSH on Debian with a weak random generator etc ...

Note that the weakness might be theoric as it is not computationally feasible. For example the latest AES one (the biclique attack: http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf)

Elie
http://elie.im | twitter:@elie (http://twitter.com/elie) 






-- 
Elie

http://elie.im | twitter:@elie (http://twitter.com/elie) 


On Sunday, November 6, 2011 at 8:01 PM, websecurity-request at lists.webappsec.org (mailto:websecurity-request at lists.webappsec.org) wrote:

> Send websecurity mailing list submissions to
> websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> or, via email, send a message with subject or body 'help' to
> websecurity-request at lists.webappsec.org (mailto:websecurity-request at lists.webappsec.org)
> 
> You can reach the person managing the list at
> websecurity-owner at lists.webappsec.org (mailto:websecurity-owner at lists.webappsec.org)
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of websecurity digest..."
> 
> 
> Today's Topics:
> 
> 1. Re: What's the differences between weakness and
> vulnerability? (Celestain Fonge)
> 2. Re: What's the differences between weakness and
> vulnerability? (Michal Zalewski)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 6 Nov 2011 17:31:59 -0600
> From: "Celestain Fonge" <cfonge at zazotechnologies.com (mailto:cfonge at zazotechnologies.com)>
> To: "'matthew chao'" <mathewchao at gmail.com (mailto:mathewchao at gmail.com)>
> Cc: websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> Subject: Re: [WEB SECURITY] What's the differences between weakness
> and vulnerability?
> Message-ID: <00d201cc9cdc$48a6a240$d9f3e6c0$@zazotechnologies.com (http://zazotechnologies.com)>
> Content-Type: text/plain; charset="us-ascii"
> 
> Per http://en.wikipedia.org/wiki/Vulnerability_(computing)
> 
> In computer security, a vulnerability is a weakness which allows an attacker
> to reduce a system's information assurance.
> 
> Regards,
> Celestain.
> 
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org (mailto:websecurity-bounces at lists.webappsec.org)
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of matthew chao
> Sent: Sunday, November 06, 2011 2:35 AM
> To: websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> Subject: [WEB SECURITY] What's the differences between weakness and
> vulnerability?
> 
> WASC's definition of "weakness": "The underlying vulnerability within the
> application that is exploited." It seem weakness is equal to vulnerability,
> and WASC's Glossary
> (http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20
> Glossary) doesn't include the terms.
> 
> However, according to "http://cwe.mitre.org/about/faq.html#A.1",
> "Software weaknesses are errors that can lead to software vulnerabilities.
> A software vulnerability is a mistake in software that can be directly
> used by a hacker to gain access to a system or network.", so they are
> different concepts.
> 
> 
> The situation is confused. so what's the differences between weakness and
> vulnerability? thanks!
> 
> -Matt
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sun, 6 Nov 2011 16:37:47 -0800
> From: Michal Zalewski <lcamtuf at coredump.cx (mailto:lcamtuf at coredump.cx)>
> To: Celestain Fonge <cfonge at zazotechnologies.com (mailto:cfonge at zazotechnologies.com)>
> Cc: websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> Subject: Re: [WEB SECURITY] What's the differences between weakness
> and vulnerability?
> Message-ID:
> <CALx_OUBpmJQ=SDFfL=Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g at mail.gmail.com (mailto:Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g at mail.gmail.com)>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> > Per ?http://en.wikipedia.org/wiki/Vulnerability_(computing)
> 
> That article is hilarious!
> 
> /mz
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> websecurity mailing list
> websecurity at lists.webappsec.org (mailto:websecurity at lists.webappsec.org)
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> 
> End of websecurity Digest, Vol 11, Issue 5
> ******************************************
> 
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20111106/8bb7457b/attachment-0003.html>


More information about the websecurity mailing list