Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Steven M. Bellovin smb at
Fri Jan 2 20:58:12 UTC 2009

On Fri, 2 Jan 2009 15:49:24 -0500
Deepak Jain <deepak at> wrote:

> > Of course, this will just make the browsers pop up dialog boxes
> > which everyone will click OK on...
> > 
> And brings us to an even more interesting question, since everything
> is trusting their in-browser root CAs and such. How trustable is the
> auto-update process? If one does provoke a mass-revocation of
> certificates and everyone needs to update their browsers... how do
> the auto-update daemons *know* that what they are getting is the real
> deal? 
> [I haven't looked into this, just bringing it up. I'm almost certain
> its less secure than the joke that is SSL certification].
If done properly, that's actually an easier task: you build the update
key into the browser.  When it pulls in an update, it verifies that it
was signed with the proper key.

		--Steve Bellovin,

More information about the NANOG mailing list