Home page logo

dailydave logo Dailydave mailing list archives

Re: Questions about MD5+CA
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Tue, 30 Dec 2008 13:33:42 -0600

If you take everything in the paper at face value, a couple things
mitigate this attack:

* The research team had access not only to a cluster of PS3s but to a
specially optimized MD5 collision-finding implementation, which they
had because Lenstra's team has been playing with a PS3 cluster for

* The research team had access to a currently-unpublished optimization
to (presumably the birthday-bits search part of) the collision-finding

* The attack could be made impractical by randomizing the serial
numbers for all future certs issued by RapidSSL (and, presumably, by
banning MD5).

On Tue, Dec 30, 2008 at 11:43 AM, Dave Aitel <dave () immunityinc com> wrote:
Hash: SHA1

So if someone was able to get a root CA for $20000 - shouldn't we
remove the RapidSSL root CA from our browsers with the next browser
update? I don't see why people think this would be hard to replicate
and hasn't been done previously to RapidSSL. Is it because no one
other than that one team can do math or buy PS3s?

Microsoft's advisory on this is essentially defaulting to the "No one
else has ever done this" position. This is weird. Trusted Roots that
could have been used to sign these things need to get re-issued,
right? What am I missing here?

"You fail and are no longer trusted" seems like a viable option here
that people are avoiding for some reason.

- -dave

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Dailydave mailing list
Dailydave () lists immunitysec com

Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]