nanog mailing list archives

RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

From: Skywing <Skywing () valhallalegends com>
Date: Fri, 2 Jan 2009 15:19:19 -0600

For IE and other things using CryptoAPI on Windows, this should be handled through the automagic root certificate 
update through Windows Update (if one hasn't disabled it), AFAIK.

The question is really whether that mechanism requires a cert rooted at a Microsoft authority or not.  The danger being 
that someone could use an intermediate CA rooted at an md5-signing CA and present a seemingly valid cert through that 
with the right common name.

Some other Microsoft things (i.e. KMCS) require certs rooted to a single specific root and not just *any* global root, 
so it's possible that the same is done for root certificate update blobs; however, I don't know for certain, and some 
research would need to be done.  I don't think any of the MS issuing roots use md5, though.

- S

-----Original Message-----
From: Deepak Jain [mailto:deepak () ai net] 
Sent: Friday, January 02, 2009 4:14 PM
To: Steven M. Bellovin
Cc: NANOG
Subject: RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

If done properly, that's actually an easier task: you build the update
key into the browser.  When it pulls in an update, it verifies that it
was signed with the proper key.


If you build it into the browser, how do you revoke it when someone throws 2000 PS3s to crack it, or your hash, or your 
[pick algorithmic mistake here].

Deepak

Current thread:

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., (continued)
- - - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Kevin Oberman (Jan 04)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Nick Hilliard (Jan 03)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Florian Weimer (Jan 03)
  - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Valdis . Kletnieks (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Terje Bless (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Jasper Bryant-Greene (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Skywing (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
    - RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
    - Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)

(Thread continues...)