Date sent: Tue, 30 Dec 2008 12:09:36 +0100 From: Jacob Appelbaum <[email protected]>
> http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/ > > MD5 considered harmful today: Creating a rogue CA certificate OK, this is already hitting the mainstream media, and some real assessments are going to be needed. The Bad Guys (TM) have been using fake or self-signed certs for a while. We can expect them to build a fake CA cert to start using for phishing sites shortly. (Although I wonder why they'd even bother ...) First, you need 5 CAs that use MD5 hashes. How many do that? How many CAs use *only* MD5s? Is it possible to revoke all the MD5 certs and push that out to all the browser updates within the next few weeks? Would that be effective? Is this attack effective against SHA-1? How much longer would it take? Others? ====================== (quote inserted randomly by Pegasus Mailer) [email protected] [email protected] [email protected] I'm never going to be famous. My name will never be writ large on the roster of Those Who Do Things. I don't do any thing. Not one single thing. I used to bite my nails, but I don't even do that any more. - famous American reviewer and wit, Dorothy Parker victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
