Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 2 20:58:12 UTC 2009
On Fri, 2 Jan 2009 15:49:24 -0500
Deepak Jain <deepak at ai.net> wrote:
> > Of course, this will just make the browsers pop up dialog boxes
> > which everyone will click OK on...
> >
>
> And brings us to an even more interesting question, since everything
> is trusting their in-browser root CAs and such. How trustable is the
> auto-update process? If one does provoke a mass-revocation of
> certificates and everyone needs to update their browsers... how do
> the auto-update daemons *know* that what they are getting is the real
> deal?
>
> [I haven't looked into this, just bringing it up. I'm almost certain
> its less secure than the joke that is SSL certification].
>
If done properly, that's actually an easier task: you build the update
key into the browser. When it pulls in an update, it verifies that it
was signed with the proper key.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list