Re: SHA1 collisions proven possisble

[Matt Palmer <mpalmer () hezmatt org>]

On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
> > I repeat something I've said a couple times in this thread: If I can
> > somehow create two docs with the same hash, and somehow con someone
> > into using one of them, chances are there are bigger problems than a
> > SHA1 hash collision.
> >
> > If you assume I could somehow get Verisign to use a cert I created to
> > match another cert with the same hash, why in the hell would that
> > matter?  I HAVE THE ONE VERISIGN IS USING.  Game over.
> >
> > Valdis came up with a possible use of such documents. While I do not
> > think there is zero utility in those instances, they are pretty small
> > vectors compared to, say, having a root cert at a major CA.
>
> I want a google.com cert.  I ask a CA to sign my fake google.com
> certificate.  They decline, because I can't prove I control google.com.

Even better: I want a CA cert.  I convince a CA to issue me a regular,
end-entity cert for `example.com` (which I control) in such a way that I can
generate another cert with the same SHA1 hash, but which has `CA:TRUE` for
the Basic Constraints extension.

Wham!  I can now generate certs for *EVERYONE*.  At least until someone
notices and takes away my shiny new toy...

- Matt

-- 
[M]ost of the other people here [...] drive cars that they have personally
built (starting with iron ore, charcoal, and a Malaysian turn-signal tree)
[...] but I wimp out on all of those points.  Sometimes there are advantages
to paying somebody else to do it for you.  -- Matt Roberds, in the Monastery