nanog mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: Valdis.Kletnieks () vt edu
Date: Fri, 02 Jan 2009 11:44:33 -0500
On Fri, 02 Jan 2009 09:58:05 CST, Joe Greco said:
Anyways, I was under the impression that the whole purpose of the revocation capabilities of SSL was to deal with problems like this, and that a large part of the justification of the cost of an SSL certificate was the administrative burden associated with guaranteeing and maintaining the security of the chain.
What percentage of deployed browsers handle CRL's correctly? Consider this snippet from the phreedom.org page (section 6.1): "One interesting observation from our work is that the rogue certificate we have created is very hard to revoke using the revocation mechanism available in common browsers. There are two protocols for certificate revocation, CRL and OSCP. Until Firefox 3 and IE 7, certificate revocation was disabled by default. Even in the latest versions, the browsers rely on the certificate to include a URL pointing to a revocation server. Our rogue CA certificate had very limited space and it was impossible to include such a URL, which means that by default both Internet Explorer and Firefox are unable to find a revocation server to check our certificate against." Hmm... so basically all deployed FireFox and IE either don't even try to do a CRL, or they ask the dodgy certificate "Who can I ask if you're dodgy?" What's wrong with this picture? (Personally, I consider this a potentially bigger problem than the MD5 issue...)
Attachment:
_bin
Description:
Current thread:
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., (continued)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Mikael Abrahamsson (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Hank Nussbacher (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Florian Weimer (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Rubens Kuhl Jr. (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Marshall Eubanks (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Christopher Morrow (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Christopher Morrow (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Kevin Oberman (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Nick Hilliard (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Florian Weimer (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Terje Bless (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Jasper Bryant-Greene (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Skywing (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)