Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

[Gadi Evron <ge () linuxbox org>]

On Fri, 2 Jan 2009, Joe Abley wrote:
> On 2009-01-02, at 09:04, Rodrick Brown wrote:
>
> > A team of security researchers and academics has broken a core piece
> > of Internet technology. They made their work public at the 25th Chaos
> > Communication Congress in Berlin today. The team was able to create a
> > rogue certificate authority and use it to issue valid SSL certificates
> > for any site they want. The user would have no indication that their
> > HTTPS connection was being monitored/modified.
>
> I read a comment somewhere else that while this is interesting, and good 
> work, and well done, in practice it's much easier to social-engineer a 
> certificate with a stolen credit card from a real CA than it is to create a 
> fake CA.
>
> (I'd give proper attribution if I could remember who it was, but it put 
> things into perspective for me at the time so I thought I'd share.)

My facebook status? :P