Security team successfully cracks SSL using 200 PS3's and MD5

Joe Abley jabley at hopcount.ca
Mon Jan 5 14:59:54 CST 2009


On 2009-01-05, at 15:47, Randy Bush wrote:

> perhaps i am a bit slow.  but could someone explain to me how trust  
> in dns data transfers to trust in an http partner and other uses to  
> which ssl is put?

If I can get secure answers to "www.bank.example IN CERT?" and "www.bank.example 
  IN A?" then perhaps when I connect to www.bank.example:443 I can  
decide to trust the certificate presented by the server based on the  
trust anchor I extracted from the DNS, rather than whatever trust  
anchors were bundled with my browser.

That presumably would mean that the organisation responsible for  
bank.example could run their own CA and publish their own trust  
anchor, without having to buy that service from one of the traditional  
CA companies.

No doubt there is more to it than that. I don't know anything much  
about X.509.


Joe





More information about the NANOG mailing list