Security team successfully cracks SSL using 200 PS3's and MD5

Florian Weimer fw at
Sat Jan 3 21:33:53 UTC 2009

* Nick Hilliard:

> I think you might be downplaying the size of the problem here.  X.509 and
> TLS/SSL isn't just used for browsers, but for a wide variety of places
> where there is a requirement for PKI based security.  So when you talk
> about a flag day for dealing with SHA-X (where X != 1), have you considered
> the logistical problems of upgrading all those embedded devices around the
> world?

They won't be affected by the flag day, because the flag day is set by
the relying party (that is, the browser), not the CA.

If you've got a real PKI deployment, by definition, you've got
procedures to deal with sudden advances in published cryptanalysis
(even if it involves posting guards at certain buildings, instead of
relying on smartcards for access control).  The problematic areas are
those where cryptography is used to comply with some checklist (or for
PR purposes), and not for its security properties.  In those
environments, algorithm changes can never justify the associated

More information about the NANOG mailing list