nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5

From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 02 Jan 2009 23:37:56 +0100

* Joe Greco:

It seems that part of the proposed solution is to get people to move from
MD5-signed to SHA1-signed.  There will be a certain amount of resistance.
What I was suggesting was the use of the revocation mechanism as part of
the "stick" (think carrot-and-stick) in a campaign to replace MD5-based
certs.  If there is a credible threat to MD5-signed certs, then forcing
their retirement would seem to be a reasonable reaction, but everyone here
knows how successful "voluntary" conversion strategies typically are.


A CA statement that they won't issue MD5-signed certificates in the
future should be sufficient.  There's no need to reissue old
certificates, unless the CA thinks other customers have attacked it.

Either we take the potential for transparent MitM attacks seriously, or 
we do not.  I'm sure the NSA would prefer "not."  :-)


I doubt the NSA is interested in MITM attacks which can be spotted by
comparing key material. 8-)

Current thread:

Re: Security team successfully cracks SSL using 200 PS3's and MD5, (continued)
- - - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 William Warren (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dorn Hetzel (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Marshall Eubanks (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Steven M. Bellovin (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Steven M. Bellovin (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Nick Hilliard (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Neil (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Etaoin Shrdlu (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Brian Keefer (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 04)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Brian Keefer (Jan 04)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 04)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Valdis . Kletnieks (Jan 04)

(Thread continues...)