Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
Martin List-Petersen
martin at airwire.ie
Fri Jan 2 16:06:31 UTC 2009
Joe Abley wrote:
>
> On 2009-01-02, at 09:04, Rodrick Brown wrote:
>
>> A team of security researchers and academics has broken a core piece
>> of Internet technology. They made their work public at the 25th Chaos
>> Communication Congress in Berlin today. The team was able to create a
>> rogue certificate authority and use it to issue valid SSL certificates
>> for any site they want. The user would have no indication that their
>> HTTPS connection was being monitored/modified.
>
> I read a comment somewhere else that while this is interesting, and good
> work, and well done, in practice it's much easier to social-engineer a
> certificate with a stolen credit card from a real CA than it is to
> create a fake CA.
>
> (I'd give proper attribution if I could remember who it was, but it put
> things into perspective for me at the time so I thought I'd share.)
>
It is. But this issue might open for man-in-the-middle attacks, which is
much harder for issued certificates.
Issued certificates usually also incorporate a check, that you control a
domain etc.
With engineered certificates you can practically avoid that whole process.
Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobal an Iarthar
http://www.airwire.ie
Phone: 091-865 968
More information about the NANOG
mailing list