Full Disclosure mailing list archives
Re: Creating a rogue CA certificate
From: "fd throwaway" <fd.throwaway () gmail com>
Date: Wed, 31 Dec 2008 07:41:23 -0500
-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[*mailto:full-disclosure-bounces () lists grok org uk*<full-disclosure-bounces () lists grok org uk>]
On Behalf
Of jlay () slave-tothe-box net
Sent: Tuesday, December 30, 2008 3:17 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Creating a rogue CA certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SSL/PKI is only as strong as the weakest CA...
For those of you who haven't been following this, here you go:
*http://www.win.tue.nl/hashclash/rogue-ca/*<http://www.win.tue.nl/hashclash/rogue-ca/>
*http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt*<http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt>
Enjoy and Happy New Years!
elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at
*https://www.hushtools.com/verify* <https://www.hushtools.com/verify>
wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbcN
R0q1BL+WmbiGNglujzSWHqMSkn20r12itVfGP77nEbGYbjidV1BXxFNR2QQwLHZhGLWe
gVO/5Zg=
=+Pm+
-----END PGP SIGNATURE-----
--
Click for free info on getting an MBA, $200K/ year potential.
*http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I*<http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I>
6KbhlC0IDsYiG8/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: *http://lists.grok.org.uk/full-disclosure-charter.html*<http://lists.grok.org.uk/full-disclosure-charter.html>
Hosted and sponsored by Secunia - *http://secunia.com/*<http://secunia.com/>
From Microsoft:
*http://www.microsoft.com/technet/security/advisory/961509.mspx*<http://www.microsoft.com/technet/security/advisory/961509.mspx>
"Microsoft is not aware of specific attacks against MD5, so
previously issued certificates that were signed using MD5 are
not affected and do not need to be revoked. This issue only
affects certificates being signed using MD5 after the
publication of the attack method."
I take it the above is incorrect?
James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: *http://lists.grok.org.uk/full-disclosure-charter.html*<http://lists.grok.org.uk/full-disclosure-charter.html>
Hosted and sponsored by Secunia - *http://secunia.com/*<http://secunia.com/>
No it is correct because the attack creates a new CA from the compromised cert which is then used to sign certs, it doesn't involve copying the signatures of certs that already have been signed by legit CAs with the exception of the one that is used to create the rogue CA
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Creating a rogue CA certificate, (continued)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Ureleet (Dec 31)
- Re: Creating a rogue CA certificate jlay (Dec 30)
- Re: Creating a rogue CA certificate Elazar Broad (Dec 30)
- Re: Creating a rogue CA certificate Elazar Broad (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate Elazar Broad (Dec 31)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 31)
- Re: Creating a rogue CA certificate Elazar Broad (Dec 31)
- Re: Creating a rogue CA certificate fd throwaway (Dec 31)