Full Disclosure mailing list archives
Re: how would browser vendors deal with $O(10^k)$ fake certs?
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sun, 17 Apr 2011 16:32:18 +0200 (CEST)
On Wed, 13 Apr 2011, Marsh Ray wrote:
Only in cases where the element is found though, the last bit only needs to be checked if all the preceding bits matched. In the normal (non-attack) case the "s3r34l number" isn't found.
It depends on whether one talks about the worst-case complexity or about the average-case complexity. Anyway, there is much more computation beyond the mere blacklist search: it is necessary to receive the certificate from the network (all bits must be read on order to complete the handshake) and to verify its digital signature (all bits must be hashed) or to find it in some kind of cache of verified certs (a positive result is needed here, therefore all bits must be checked and match). -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21st century edition / _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- how would browser vendors deal with $O(10^k)$ fake certs? Georgi Guninski (Apr 10)
- Re: how would browser vendors deal with $O(10^k)$ fake certs? Pavel Kankovsky (Apr 10)
- Re: how would browser vendors deal with $O(10^k)$ fake certs? Marsh Ray (Apr 13)
- Re: how would browser vendors deal with $O(10^k)$ fake certs? Pavel Kankovsky (Apr 17)
- Re: how would browser vendors deal with $O(10^k)$ fake certs? Marsh Ray (Apr 13)
- Re: how would browser vendors deal with $O(10^k)$ fake certs? Pavel Kankovsky (Apr 10)