nanog mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 2 Jan 2009 15:58:12 -0500
On Fri, 2 Jan 2009 15:49:24 -0500 Deepak Jain <deepak () ai net> wrote:
Of course, this will just make the browsers pop up dialog boxes which everyone will click OK on...And brings us to an even more interesting question, since everything is trusting their in-browser root CAs and such. How trustable is the auto-update process? If one does provoke a mass-revocation of certificates and everyone needs to update their browsers... how do the auto-update daemons *know* that what they are getting is the real deal? [I haven't looked into this, just bringing it up. I'm almost certain its less secure than the joke that is SSL certification].
If done properly, that's actually an easier task: you build the update key into the browser. When it pulls in an update, it verifies that it was signed with the proper key. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., (continued)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Christopher Morrow (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Christopher Morrow (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Kevin Oberman (Jan 04)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Nick Hilliard (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Florian Weimer (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Valdis . Kletnieks (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Terje Bless (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Jasper Bryant-Greene (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Skywing (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Steven M. Bellovin (Jan 02)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Deepak Jain (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)