Re: Creating a rogue CA certificate

[chort <chort0 () gmail com>]

On Tue, Dec 30, 2008 at 2:42 PM, n3td3v <xploitable () gmail com> wrote:
> On Tue, Dec 30, 2008 at 10:29 PM,  <Valdis.Kletnieks () vt edu> wrote:
> > On Tue, 30 Dec 2008 20:10:16 GMT, n3td3v said:
> > > Aiding script kids to get credit card numbers out of folks e-commerce
> > > purchases.
> >
> > Dear Idiot:
> >
> > This is hardly an attack that the average script kiddie can pull off.
>
> Until HD Moore releases an attack module for it.

Since you're so certain this is possible, could you kindly summarize
(at a high level, no need for detail) how this could be accomplished?

Now that you're unable to do so, I will explain why:  Because you
don't have a clue how PKI works, much less how it's possible to
exploit it, which is really tragic considering there are plenty of
pretty graphs and dumbed-down explanations out there now that even a
drop-out should be able to comprehend.

Assuming source code, or even full attack details, are published any
time soon, will HD Moore also be sending out free super-computing
clusters to find the MD5 collisions?  Well he be sending free money to
buy the certificates required to accurately predict the serial number
to generate?  This isn't some SQL injection or remote buffer overflow,
there are a lot of manual steps involved that cannot simply be plugged
into a generic attack platform.

You're an ignorant fool.  You should ask questions to learn how things
work before you spout opinions.  Statements are only thought-provoking
if they're made based on comprehension of the subject matter.  The
only thing you have full comprehension of is how to hit Send, and
that's quite unfortunate.


-- 
chort

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/