Security team successfully cracks SSL using 200 PS3's and MD5

Sat Jan 3 17:31:53 UTC 2009

On Sat, Jan 3, 2009 at 10:49 AM, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
> On Sat, 03 Jan 2009 09:35:06 -0500
> William Warren <hescominsoon at emmanuelcomputerconsulting.com> wrote:
>
>> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005.
>> So we trade MD5 for SHA-1?  This makes no sense.
>>
> (a) SHA-1 was not broken as badly.  The best attack is, as I recall,
> 2^63, which is computationally infeasible without special-purpose
> hardware.
>

special purpose? or lots of commodity? like the Amazon-EC2 example
used in the cert issue? (or PS3s or...)

> (b) Per a paper Eric Rescorla and I wrote, there's no usable
> alternative, since too many protocols (including TLS) don't negotiate
> hash functions before presenting certificates.  In particular, this
> means that a web site can't use SHA-256 because (1) most clients won't
> support it; and (2) it can't tell which ones do.  (Note that this
> argument applies just as much to combinations of hash functions --
> anything that *the large majority of today's* browsers don't implement
> isn't usable.)

This is a function of an upgrade (firefox3.5 coming 'soon!') for
browsers, and for OS's as well, yes? So, given a future flag-day (18
months from today no more MD5, only SHA-232323 will be used!!)
browsers for the majority of the market could be upgraded. Certainly
there are non-browsers out there (eudora, openssl, wget,
curl..bittorrent-clients, embedded things) which either will lag more
or break all together.

>
> These two points lead us to (c): security is a matter of economics, not
> algorithms.  Switching now to something else loses more in connectivity
> or customers than you would lose from such an expensive attack.
>

only if not staged out with enough time to roll updates in first, right?

-Chris