Home page logo
/

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: Joe Greco <jgreco () ns sol net>
Date: Sun, 4 Jan 2009 15:58:34 -0600 (CST)

"SSL is cracked, VeriSign to blame!" was pretty much the top security  
story for several days.  They had to do something to turn around the  
perception, despite accurate analysis and publications by  
organizations such as Microsoft.  Perception is reality, and  
regardless of the technical merits, a significant amount of people  
seemed to believe that any certificates that mentioned MD5 anywhere in  
them are at risk of some unknown, but really scary Badness(tm).

Perception is, sadly, not reality, no matter what you wish to argue.
(Sorry!)

For years, some people had a "perception" that DNS was reasonably safe
and secure by virtue of the transaction ID and the difficulty in slipping
in a bad update.  Some of us were aware that increases in bandwidth and 
processor power would reduce the difficulty, and certainly the issue had
been discussed in some detail even back in the 1990's.  The "perception"
of DNS security turned into the reality of Our-DNS-House-Is-On-Fire last
year.

I agree with VeriSign that offering to reissue certs is the smartest  
business decision they can make, considering their tagline is "The  
Value of Trust".  I disagree that it was technically necessary.

Reissuing existing certificates signed by MD5 accomplishes nothing.   

Incorrect.  As the number of MD5-signed certificates dwindles, the
feasibility of removing or disabling support for MD5-signed certs
increases.  Of course that assumes the reissues are signed by SHA.

Participation is voluntary, so if someone had managed to create a  
rogue CA, they certainly would not voluntarily destroy it by having  
their cert reissued! 

Of course.

Technically the only thing necessary to prevent  
this attack has already been done, and that is to stop issuing certs  
signed with MD5 so that no one else can create a rogue CA via this  
means.
 
Are we certain that existing certs cannot be subverted?

If they truly believed that there was a risk anyone else had done this  
already, they would need to revoke the CA cert, i.e. every vendor who  
shipped their CA cert in the default trusted issuer bundle would need  
to remove or invalidate it with a software update, but that would  
break _all_ the valid certificates signed by the CA.  In order to do  
that, they would need to proactively contact every customer with a  
valid cert to make sure they were updated.  What percentage of their  
customers do you think they would be able to reach (haven't changed  
contact information, etc)?  How many application vendors would  
actually remove the old CA and add the new one in a timely manner?   
How many of those vendors' customers would actually upgrade to the new  
version?

I don't know.  We've had fires before.  Fires with less obvious solutions
and higher costs-to-implement/fix.

So they've done what they need to in order to prevent future exploits,  
and obviously they aren't that worried that the exploit has actually  
been performed maliciously in the past.  Offering to reissue existing  
certs is a PR smokescreen (although a necessary one).

I would disagree; we are simply *aware* that MD5 certs have been subverted
in this particular way, but clearly this shows a weakness exists, and are
you prepared to guarantee that there are no other ways to subvert the
current MD5 system, possibly in a much different way?

Getting rid of the bad crypto - and come on, it's crypto we have known for
several years is bad - is not a PR smokescreen.  It's a smart move.  Why
wait for something truly bad to happen?

I think there's a huge fundamental misunderstanding.  It seems that  
the popular belief is that it's possible to use an existing MD5  
signature for any evil bits that you choose, which is not the case.   
The actual exploit in this case is the ability to "unlock" a normal  
certificate to make it a CA certificate.  Of course phrasing it that  
way wouldn't be quite so sensational (and wouldn't have accomplished  
the researcher's goal of raising awareness to the weakness of MD5), so  
now we have mass misperception, which has become reality since  
anything that is published is automatically true.

So, any current MD5-signed cert carries with it some vague risk that it
could potentially be subverted.  I'm ... failing ... to see the huge
fundamental misunderstanding you refer to.

I'm not saying it's bad that people are shying aware from MD5, I just  
like to be accurate.

In any case, it has spawned some healthy discussions so I would say it  
was worthwhile.

Certainly.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault