nanog mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: William Warren <hescominsoon () emmanuelcomputerconsulting com>
Date: Sat, 03 Jan 2009 09:35:06 -0500
Dragos Ruiu wrote:
Everyone seems to be stampeding to SHA-1..yet it was broken in 2005. So we trade MD5 for SHA-1? This makes no sense.On 2-Jan-09, at 9:56 AM, Robert Mathews (OSIA) wrote:Joe Greco wrote:[ .... ] Either we take the potential for transparent MitM attacks seriously, or we do not. I'm sure the NSA would prefer "not." :-) As for the points raised in your message, yes, there are additionalproblems with clients that have not taken this seriously. It is, however,one thing to have locks on your door that you do not lock, and another thing entirely not to have locks (and therefore completely lack theability to lock). I hope that there is some serious thought going on inthe browser groups about this sort of issue. [ ... ] ... JGF Y I, see: SSL Blacklist 4.0 - for a Firefox extension able to detect 'bad' certificates @ http://www.codefromthe70s.org/sslblacklist.aspx Best.Snort rule to detect said... url: http://vrt-sourcefire.blogspot.com/2009/01/md5-actually-harmful.htmlalert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Weak SSL OSCP response -- MD5 usage"; content:"content-type: application/ocsp-response"; content:"2A 86 48 86 F7 0D 01 01 05"; metadata: policy security-ips drop, service http; reference: url, www.win.tue.nl/hashclash/rogue-ca/; classtype: policy-violation; sid:1000001;)cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 16-20 2009 http://cansecwest.com London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
Current thread:
- Re: Security team successfully cracks SSL using 200 PS3's and MD5, (continued)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Colin Alston (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- DNSSEC vs. X509 (Re: Security team successfully cracks SSL...) Paul Vixie (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 Stasiniewicz, Adam (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Robert Mathews (OSIA) (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dragos Ruiu (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Gadi Evron (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dragos Ruiu (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 William Warren (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dorn Hetzel (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Marshall Eubanks (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Steven M. Bellovin (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Steven M. Bellovin (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Nick Hilliard (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Florian Weimer (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 02)