Full Disclosure mailing list archives
Re: Creating a rogue CA certificate
From: "Elazar Broad" <elazar () hushmail com>
Date: Wed, 31 Dec 2008 12:57:52 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's true, keeping up with security is not cheap nor easy. Tradeoff's are tradeoff's, the question is, when it comes down to the $$$, is more cost effective to be proactive vs reactive in this case. Time will tell... On Tue, 30 Dec 2008 16:42:47 -0500 Valdis.Kletnieks () vt edu wrote:
On Tue, 30 Dec 2008 16:13:07 EST, Elazar Broad said:And they should have listened then, it was only a matter of time before someone fleshed out a practical attack, and that time is now. Then again, I am sure there some ATM's out there stillusingDES. How many time's do we need to prove Moore's law...Playing devil's advocate for a moment... And perhaps they *were* listening, but realized that security is about tradeoffs, and they balanced the cost of doing the upgrade back then against the chances that a team as technically and budget-wise prepared as this one, *and with nefarious intent*, would do something significantly drastic enough to dent their revenue stream. Read section 5.2 of the hashclash/rogue-ca paper. The victim CA is churning out an average of 1,000 certs in 3 days, let's say at $12 per. That's some $600K per year for just the weekends, not counting the Mon-Thurs span which is probably even higher (and why they targeted a weekend). So $2M per year or more. Who wants to place a bet that said CA will be selling *the same number* of certs every week, meaning they had *no* economic loss due to this hack, because their customers won't actually *see* the news article and give them a bad feeling about their CA? And with no actual loss, why spend the money to implement the change? Hint: It *isn't* just a matter of changing one line in a script to say 'sha1' instead of 'md5' - you *also* need to go back and look at all the certs you've issued already and figure out if they've been tweaked...
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAklbsqAACgkQi04xwClgpZh3FQQAgHyAry+xv7AOcUWHLNrGsUqmT9XP BWa4ahzXUE9JTe8FT37fvNhv5ZwouHVYVZPZViwXcu0Kv2SHUSlfp5XGzObx6nDoO6X6 ObF8iBEPORsEkc9kzZDyOylswHRQrNI6c21t9GsntW0Nr8258ttY4xbhKmF0a+TkOWhX /KBLZ4s= =dMtL -----END PGP SIGNATURE----- -- Go to massage therapy school and make up to $150/hour, click now! http://tagline.hushmail.com/fc/PnY6qxsbdbDEzAmhq24lIfo9SlWI9FpadA4MjMGNNyIfje7zdJ85y/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Creating a rogue CA certificate, (continued)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Ureleet (Dec 31)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 31)