Security team successfully cracks SSL using 200 PS3's and MD5

Nick Hilliard nick at
Sat Jan 3 18:41:52 UTC 2009

Christopher Morrow wrote:
> This is a function of an upgrade (firefox3.5 coming 'soon!') for
> browsers, and for OS's as well, yes? So, given a future flag-day (18
> months from today no more MD5, only SHA-232323 will be used!!)
> browsers for the majority of the market could be upgraded. Certainly
> there are non-browsers out there (eudora, openssl, wget,
> curl..bittorrent-clients, embedded things) which either will lag more
> or break all together.

I think you might be downplaying the size of the problem here.  X.509 and
TLS/SSL isn't just used for browsers, but for a wide variety of places
where there is a requirement for PKI based security.  So when you talk
about a flag day for dealing with SHA-X (where X != 1), have you considered
the logistical problems of upgrading all those embedded devices around the
world?  The credit card terminals?  The tiny CPE vpn units?  The old
machine in the corner which handles corporate sign-on, where the vendor has
now gone bust and no-one has the source code.  And the large web portal
which had a whole bunch of local apache customisations based on apache
1.3.x and where the original developers left for greener pa$ture$, and
no-one in-house really understands what they did any longer.  Etc, etc.

It's different if you have a protocol which allows parameter negotiation to
deal with issues like this, but not so good when you don't.


More information about the NANOG mailing list