Home page logo

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: Martin List-Petersen <martin () airwire ie>
Date: Fri, 02 Jan 2009 16:06:31 +0000

Joe Abley wrote:

On 2009-01-02, at 09:04, Rodrick Brown wrote:

A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certificates
for any site they want. The user would have no indication that their
HTTPS connection was being monitored/modified.

I read a comment somewhere else that while this is interesting, and good
work, and well done, in practice it's much easier to social-engineer a
certificate with a stolen credit card from a real CA than it is to
create a fake CA.

(I'd give proper attribution if I could remember who it was, but it put
things into perspective for me at the time so I thought I'd share.)

It is. But this issue might open for man-in-the-middle attacks, which is
much harder for issued certificates.

Issued certificates usually also incorporate a check, that you control a
domain etc.

With engineered certificates you can practically avoid that whole process.

Kind regards,
Martin List-Petersen
Airwire - Ag Nascadh Pobal an Iarthar
Phone: 091-865 968

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]