Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Deepak Jain deepak at ai.net
Fri Jan 2 14:49:24 CST 2009


> Of course, this will just make the browsers pop up dialog boxes which
> everyone will click OK on...
> 

And brings us to an even more interesting question, since everything is trusting their in-browser root CAs and such. How trustable is the auto-update process? If one does provoke
a mass-revocation of certificates and everyone needs to update their browsers... how do the
auto-update daemons *know* that what they are getting is the real deal? 

[I haven't looked into this, just bringing it up. I'm almost certain its less secure than the joke that is SSL certification].

Happy New Year!

Deepak




More information about the NANOG mailing list