Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
jasper at unleash.co.nz
Fri Jan 2 20:07:18 UTC 2009
On 3/01/2009, at 6:06 AM, Steven M. Bellovin wrote:
> On Fri, 2 Jan 2009 17:53:55 +0100
> "Terje Bless" <link at pobox.com> wrote:
>> On Fri, Jan 2, 2009 at 5:44 PM, <Valdis.Kletnieks at vt.edu> wrote:
>>> Hmm... so basically all deployed FireFox and IE either don't even
>>> try to do a CRL, or they ask the dodgy certificate "Who can I ask
>>> if you're dodgy?"
>> Hmm. Don't the shipped-with-the-browser trusted root certificates
>> include a CRL URL?
> Every CA runs its own CRL server -- it has to be that way.
But the engineered certificate won't be considered trusted if its
whole chain back to the root isn't trusted, and one or more of the
certificates in that chain should have been shipped with the browser
and hopefully includes a CRL URL.
Although they won't want to, surely the roots should revoke their root
certificates that issued MD5-signed certificates, and issue new root
certificates for issuing SHA-1-signed certificates. Browsers would
then stop trusting all the MD5-signed certificates due to them not
having a trusted chain back to the root, assuming they bother to check
all the certificates in the chain for revocation.
Of course, this will just make the browsers pop up dialog boxes which
everyone will click OK on...
Network Engineer, Unleash
ddi: +64 3 978 1222
mob: +64 21 129 9458
More information about the NANOG