At 10:19 PM -0500 12/30/08, Jerry Leichter wrote:
Robert Graham writes in Errata Security
(http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html)
that the attack depends on being able to predict the serial number field that
will be assigned to a legitimate certificate by
Sidney Markowitz sid...@sidney.com writes:
So which is worse, that anyone (allegedly) can get a cert from Comodo for any
domain without any proof of identity or verification of control of the domain,
or that CA root certs that use MD5 for their hash are still in use and have
now been cracked?
On Dec 30, 2008, at 4:21 PM, Sidney Markowitz wrote:
Sidney Markowitz wrote, On 31/12/08 10:08 AM:
or that CA root certs that use MD5 for their hash are
still in use and have now been cracked?
I should remember -- morning coffee first, then post.
The CA root certs themselves have not been
David Molnar dmol...@eecs.berkeley.edu writes:
Service from a group at CMU that uses semi-trusted notary servers to
periodically probe a web site to see which public key it uses. The notaries
provide the list of keys used to you, so you can attempt to detect things
like a site that has a
On Mon, Dec 29, 2008 at 10:10 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
David Molnar dmol...@eecs.berkeley.edu writes:
Service from a group at CMU that uses semi-trusted notary servers to
periodically probe a web site to see which public key it uses. The notaries
provide the list of
Ben Laurie b...@google.com writes:
what happens when the cert rolls? If the key also changes (which would seem
to me to be good practice), then the site looks suspect for a while.
I'm not aware of any absolute figures for this but there's a lot of anecdotal
evidence that many cert renewals just
On Tue, Dec 30, 2008 at 4:25 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@google.com writes:
what happens when the cert rolls? If the key also changes (which would seem
to me to be good practice), then the site looks suspect for a while.
I'm not aware of any absolute
* Jerry Leichter:
I got in touch with the company and actually received intelligent
responses both at their 800 number - I placed my order that way - and
in a response from their customer service people. Most remarkable -
almost all organizations ignore such communication. It's ironic
Ben Laurie wrote:
I can't find discussion of Perspectives - hint?
Service from a group at CMU that uses semi-trusted notary servers to
periodically probe a web site to see which public key it uses. The
notaries provide the list of keys used to you, so you can attempt to
detect things like a
On Dec 27, 2008, at 10:02 AM, Ben Laurie wrote:
On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Adding support for a
service like Perspectives (discussed here a month or two back)
would be a good
start since it provides some of the assurance that a commercial
On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote:
d...@geer.org writes:
I'm hoping this is just a single instance but it makes you remember
that the
browser pre-trusted certificate authorities really needs to be
cleaned up.
Given the more or less complete failure of commercial PKI for
On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Adding support for a
service like Perspectives (discussed here a month or two back) would be a good
start since it provides some of the assurance that a commercial PKI can't (and
as an additional benefit it also
d...@geer.org writes:
I'm hoping this is just a single instance but it makes you remember that the
browser pre-trusted certificate authorities really needs to be cleaned up.
Given the more or less complete failure of commercial PKI for both SSL web
browsing and code-signing (as evidenced by the
or asking Can I trust you?
---
http://blog.startcom.org/?p=145
Slashdot and others are reporting on this story about how it was
possible for a person to receive a completely valid certificate for
a random domain of his choosing without any
Adam Shostack a...@homeport.org writes:
Thank you! I hadn't seen this either, and it's exactly what I was looking
for.
One note of caution with the statistics given on that page, those figures are
apparently as reported by the Malicious Software Removal Tool (MSRT) (see
Just one minor observation:
On Dec 22, 2008, at 5:18 AM, Peter Gutmann wrote:
This leads to a scary rule of thumb for defenders:
1. The attackers have more CPU power than any legitimate user will
ever have,
and it costs them nothing to apply it. Any defence based on
resource
[Moderator's note: top posting and failing to trim what you're
replying to are both considered bad form... --Perry]
Peter,
Do you have evidence of either Authenticode or business impersonation?
I agree that they're highly plausible, but you say if the putative
owner of an AuthentiCode
Adam Shostack a...@homeport.org writes:
Do you have evidence of either Authenticode or business impersonation? I
agree that they're highly plausible, but you say if the putative owner of
an AuthentiCode certificate used to sign a piece of malware is ever tracked
down then it's invariably some
Adam Shostack a...@homeport.org writes:
I'd be estatic with a frequency analysis that I could show to people.
This always happens right after you hit ^D... it turns out that Microsoft
actually has published figures for this, although it's fairly recent so I
hadn't seen it before now:
In recently had an opportunity to talk to someone who had had a family member
become a victim of identity fraud, not in the usual manner to target them
directly but as a springboard to target others by registering a phishing site
in their name. Variations on this theme include using stolen
20 matches
Mail list logo
