Add GeoTrust aka Equifax Secure Global eBusiness CA-1 On Wed, Dec 31, 2008 at 2:19 PM, David Lum <[email protected]> wrote: > The report itself (http://www.win.tue.nl/hashclash/rogue-ca/#sec5) listed > six CA's that issued MD5 certs in 2008: > > RapidSSL > C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 > FreeSSL (free trial certificates offered by RapidSSL) > C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, > OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications > TC TrustCenter AG > C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks > GmbH, OU=TC TrustCenter Class 3 CA/[email protected] > RSA Data Security > C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority > Thawte > C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification > Services Division, CN=Thawte Premium Server > CA/[email protected] > verisign.co.jp > O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International > Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY > LTD.(c)97 VeriSign > > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > -----Original Message----- > From: Troy Meyer [mailto:[email protected]] > Sent: Wednesday, December 31, 2008 2:09 PM > To: NT System Admin Issues > Subject: RE: Hackers create rogue CA certificate using MD5 collisions > > If the PS3 guys can crack an MD5 encrypted root certificate, they can create > their own CA that looks like a trusted authority and in turn the CA can > issue certificates that appear to be from that fake trusted authority. If a > public CA has a root cert that is encrypted with SHA1 they aren't > susceptible (yet) to having their certs faked. > > Faked certs could be used to make false websites look secure or genuine, > could be used to deploy software that appears to be from a trusted vendor, > or could be used to gain access to services/systems authenticated through > public certs. > > Hopefully this will be a kick in the rear to CAs using MD5. If you run a > site or service that uses certs from CAs like Equifax, Thawte, or GTE (all > have at least one valid CA with a root cert encrypted with MD5), check your > cert and the encryption of the signature at the top of the certificate path. > If your root cert was encrypted with MD5, I would get your CA on the phone > and have a conversation about possible risks. > > -troy > > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Wednesday, December 31, 2008 1:06 PM > To: NT System Admin Issues > Subject: Re: Hackers create rogue CA certificate using MD5 collisions > > On Wed, Dec 31, 2008 at 11:13 AM, David Lum <[email protected]> wrote: >> Microsoft is not aware of specific attacks against MD5, so previously >> issued certificates that were signed using MD5 are not affected and do not >> need to be revoked. This issue only affects certificates being signed >> using >> MD5 after the publication of the attack method. > > I thought the idea was that an attacker would forge a certificate, > with info matching an existing certificate, but using a private key of > their own, and then set their fleet of PlayStation 3's to work to come > up with an MD5 collision, so they could use the signature from a real > certificate to sign their forgery. Or something like that. So not > only does this affect already-issued certificates, it depends on them. > Or am I misunderstanding? > >> Most public Certificate Authority roots no longer use MD5 to sign >> certificates, but have upgraded to the more secure SHA-1 algorithm. > > But as long as browsers still accept the older certificates, they'd > still be vulnerable, right? > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > >
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
