funsec mailing list archives
Fake CA MD5 questions
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Tue, 30 Dec 2008 16:29:11 -0800
Date sent: Tue, 30 Dec 2008 12:09:36 +0100 From: Jacob Appelbaum <jacob () appelbaum net>
http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/ MD5 considered harmful today: Creating a rogue CA certificate
OK, this is already hitting the mainstream media, and some real assessments are going to be needed. The Bad Guys (TM) have been using fake or self-signed certs for a while. We can expect them to build a fake CA cert to start using for phishing sites shortly. (Although I wonder why they'd even bother ...) First, you need 5 CAs that use MD5 hashes. How many do that? How many CAs use *only* MD5s? Is it possible to revoke all the MD5 certs and push that out to all the browser updates within the next few weeks? Would that be effective? Is this attack effective against SHA-1? How much longer would it take? Others? ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org I'm never going to be famous. My name will never be writ large on the roster of Those Who Do Things. I don't do any thing. Not one single thing. I used to bite my nails, but I don't even do that any more. - famous American reviewer and wit, Dorothy Parker victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- reliable IOS exploitation Gadi Evron (Dec 29)
- Re: reliable IOS exploitation Charles Miller (Dec 29)
- Re: reliable IOS exploitation Gadi Evron (Dec 29)
- 25c3 (was: Re: reliable IOS exploitation) Jacob Appelbaum (Dec 30)
- Re: 25c3 (was: Re: reliable IOS exploitation) Colin K Rognlie (Dec 30)
- Fake CA MD5 questions Rob, grandpa of Ryan, Trevor, Devon & Hannah (Dec 30)
- Re: Fake CA MD5 questions Valdis . Kletnieks (Dec 30)
- Re: Fake CA MD5 questions Valdis . Kletnieks (Dec 30)
- Re: Fake CA MD5 questions Jason Ross (Dec 30)
- Re: Fake CA MD5 questions Florian Weimer (Dec 31)
- Re: reliable IOS exploitation Charles Miller (Dec 29)