nanog mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: Randy Bush <randy () psg com>
Date: Tue, 06 Jan 2009 06:09:34 +0900
On 09.01.06 05:59, Joe Abley wrote:
perhaps i am a bit slow. but could someone explain to me how trust in dns data transfers to trust in an http partner and other uses to which ssl is put?If I can get secure answers to "www.bank.example IN CERT?" and "www.bank.example IN A?" then perhaps when I connect to www.bank.example:443 I can decide to trust the certificate presented by the server based on the trust anchor I extracted from the DNS, rather than whatever trust anchors were bundled with my browser. That presumably would mean that the organisation responsible for bank.example could run their own CA and publish their own trust anchor, without having to buy that service from one of the traditional CA companies. No doubt there is more to it than that. I don't know anything much about X.509.
x.509 is not the issue. it is your assumption that dns trust is formally transferrable to ssl/tls cert trust.
to use your example, the contractor who serves dns for www.bank.example could insert a cert and then fake the web site having (a child of) that cert. whereas, if the site had its cert a descendant of the ca for all banks, this attack would fail.
and i am not interested in quibbling about banks and who issues root cas. the point is that there are two different trust models here, and trust is not transitive.
but then again, i have not even had coffee yet this morning. randy
Current thread:
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., (continued)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Skywing (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Valdis . Kletnieks (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Matthew Kaufman (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Michael Sinatra (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Colin Alston (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- DNSSEC vs. X509 (Re: Security team successfully cracks SSL...) Paul Vixie (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 Stasiniewicz, Adam (Jan 02)