Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Steven M. Bellovin smb at cs.columbia.edu
Fri Jan 2 14:58:12 CST 2009


On Fri, 2 Jan 2009 15:49:24 -0500
Deepak Jain <deepak at ai.net> wrote:

> > Of course, this will just make the browsers pop up dialog boxes
> > which everyone will click OK on...
> > 
> 
> And brings us to an even more interesting question, since everything
> is trusting their in-browser root CAs and such. How trustable is the
> auto-update process? If one does provoke a mass-revocation of
> certificates and everyone needs to update their browsers... how do
> the auto-update daemons *know* that what they are getting is the real
> deal? 
> 
> [I haven't looked into this, just bringing it up. I'm almost certain
> its less secure than the joke that is SSL certification].
> 
If done properly, that's actually an easier task: you build the update
key into the browser.  When it pulls in an update, it verifies that it
was signed with the proper key.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb




More information about the NANOG mailing list