Hanno Böck

Fediverse Profile link: https://mastodon.social/@hanno/

github profile: https://github.com/hannob/

Hanno has been active in the free software community for a long time. He has a special interest in IT security, and has discovered multiple high-profile security vulnerabilities in the past.

Accepted Talks:

Breaking DKIM and BIMI with the 2008 Debian OpenSSL Bug

In 2008, a severe security vulnerability was discovered in Debian’s OpenSSL package. Due to a bug, cryptographic keys generated with the affected OpenSSL packages used very limited entropy, effectively limiting the number of possible keys to a few ten thousands. This was 16 years ago, but it turns out that affected keys are still used in the wild.

The speaker has developed the tool badkeys, a free software tool to scan cryptographic public keys for known vulnerabilities. By scanning DKIM public keys, several keys affected by the 2008 Debian OpenSSL bug were discovered. This allowed creating valid DKIM signatures for several high-profile domains. In some cases, signed mails show up with a company Logo in popular email clients due to a mechanism called BIMI.

See also: https://badkeys.info/