nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5

From: Joe Abley <jabley () hopcount ca>
Date: Fri, 2 Jan 2009 12:39:30 -0500


On 2 Jan 2009, at 12:33, Joe Greco wrote:

We cannot continue to justify security failure on the basis that a
significant percentage of the clients don't support it, or arebroken in
their support.  That's an argument for fixing the clients.

At a more basic level, though, isn't failure guaranteed for these kindof clients (web browsers) so long as users are conditioned to click OK/Continue for every SSL certificate failure that is reported to them?

If I was attempting a large-scale man-in-the-middle attack, perhapsI'd be happier to do no work and intercept 5% of sessions (those whoclick OK on a certificate that is clearly bogus) than I would to do anenormous amount of work and intercept 100% (those who would see nowarnings). And surely 5% is a massive under-estimate.

Joe

Current thread:

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., (continued)
- - - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Terje Bless (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Jasper Bryant-Greene (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Skywing (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Valdis . Kletnieks (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Matthew Kaufman (Jan 05)

(Thread continues...)