nanog mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: Martin List-Petersen <martin () airwire ie>
Date: Fri, 02 Jan 2009 16:06:31 +0000
Joe Abley wrote:
On 2009-01-02, at 09:04, Rodrick Brown wrote:A team of security researchers and academics has broken a core piece of Internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.I read a comment somewhere else that while this is interesting, and good work, and well done, in practice it's much easier to social-engineer a certificate with a stolen credit card from a real CA than it is to create a fake CA. (I'd give proper attribution if I could remember who it was, but it put things into perspective for me at the time so I thought I'd share.)
It is. But this issue might open for man-in-the-middle attacks, which is much harder for issued certificates. Issued certificates usually also incorporate a check, that you control a domain etc. With engineered certificates you can practically avoid that whole process. Kind regards, Martin List-Petersen -- Airwire - Ag Nascadh Pobal an Iarthar http://www.airwire.ie Phone: 091-865 968
Current thread:
- Re: Security team successfully cracks SSL using 200 PS3's and MD5, (continued)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Etaoin Shrdlu (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Brian Keefer (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Brian Keefer (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Valdis . Kletnieks (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Martin List-Petersen (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Gadi Evron (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)