Security team successfully cracks SSL using 200 PS3's and MD5

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jan 5 15:23:22 CST 2009


On Tue, 06 Jan 2009 06:09:34 +0900, Randy Bush said:

> to use your example, the contractor who serves dns for www.bank.example 
> could insert a cert and then fake the web site having (a child of) that 
> cert.  whereas, if the site had its cert a descendant of the ca for all 
> banks, this attack would fail.

All you've done *there* is transfer the trust from the contractor to
the company that's the "ca for the bank".  Yes, the ca-for-banks.com
has a vested interest in making sure none of its employees go rogue and
do something naughty - but so does the DNS contractor.

One could equally well argue that if a site was using the DNS for certs
would be immune to an attack on a CA.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090105/21b65fed/attachment.bin>


More information about the NANOG mailing list