Security team successfully cracks SSL using 200 PS3's and MD5

Christopher Morrow morrowc.lists at
Sat Jan 3 17:31:53 UTC 2009

On Sat, Jan 3, 2009 at 10:49 AM, Steven M. Bellovin <smb at> wrote:
> On Sat, 03 Jan 2009 09:35:06 -0500
> William Warren <hescominsoon at> wrote:
>> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005.
>> So we trade MD5 for SHA-1?  This makes no sense.
> (a) SHA-1 was not broken as badly.  The best attack is, as I recall,
> 2^63, which is computationally infeasible without special-purpose
> hardware.

special purpose? or lots of commodity? like the Amazon-EC2 example
used in the cert issue? (or PS3s or...)

> (b) Per a paper Eric Rescorla and I wrote, there's no usable
> alternative, since too many protocols (including TLS) don't negotiate
> hash functions before presenting certificates.  In particular, this
> means that a web site can't use SHA-256 because (1) most clients won't
> support it; and (2) it can't tell which ones do.  (Note that this
> argument applies just as much to combinations of hash functions --
> anything that *the large majority of today's* browsers don't implement
> isn't usable.)

This is a function of an upgrade (firefox3.5 coming 'soon!') for
browsers, and for OS's as well, yes? So, given a future flag-day (18
months from today no more MD5, only SHA-232323 will be used!!)
browsers for the majority of the market could be upgraded. Certainly
there are non-browsers out there (eudora, openssl, wget,
curl..bittorrent-clients, embedded things) which either will lag more
or break all together.

> These two points lead us to (c): security is a matter of economics, not
> algorithms.  Switching now to something else loses more in connectivity
> or customers than you would lose from such an expensive attack.

only if not staged out with enough time to roll updates in first, right?


More information about the NANOG mailing list