Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Jasper Bryant-Greene jasper at unleash.co.nz
Fri Jan 2 14:07:18 CST 2009


On 3/01/2009, at 6:06 AM, Steven M. Bellovin wrote:

> On Fri, 2 Jan 2009 17:53:55 +0100
> "Terje Bless" <link at pobox.com> wrote:
>
>> On Fri, Jan 2, 2009 at 5:44 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>>> Hmm... so basically all deployed FireFox and IE either don't even
>>> try to do a CRL, or they ask the dodgy certificate "Who can I ask
>>> if you're dodgy?"
>>
>> Hmm. Don't the shipped-with-the-browser trusted root certificates
>> include a CRL URL?
>>
>>
> Every CA runs its own CRL server -- it has to be that way.


But the engineered certificate won't be considered trusted if its  
whole chain back to the root isn't trusted, and one or more of the  
certificates in that chain should have been shipped with the browser  
and hopefully includes a CRL URL.

Although they won't want to, surely the roots should revoke their root  
certificates that issued MD5-signed certificates, and issue new root  
certificates for issuing SHA-1-signed certificates. Browsers would  
then stop trusting all the MD5-signed certificates due to them not  
having a trusted chain back to the root, assuming they bother to check  
all the certificates in the chain for revocation.

Of course, this will just make the browsers pop up dialog boxes which  
everyone will click OK on...

--
Jasper Bryant-Greene
Network Engineer, Unleash

ddi: +64  3 978 1222
mob: +64 21 129 9458





More information about the NANOG mailing list