Home page logo

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: Jasper Bryant-Greene <jasper () unleash co nz>
Date: Sat, 3 Jan 2009 09:07:18 +1300

On 3/01/2009, at 6:06 AM, Steven M. Bellovin wrote:

On Fri, 2 Jan 2009 17:53:55 +0100
"Terje Bless" <link () pobox com> wrote:

On Fri, Jan 2, 2009 at 5:44 PM,  <Valdis.Kletnieks () vt edu> wrote:
Hmm... so basically all deployed FireFox and IE either don't even
try to do a CRL, or they ask the dodgy certificate "Who can I ask
if you're dodgy?"

Hmm. Don't the shipped-with-the-browser trusted root certificates
include a CRL URL?

Every CA runs its own CRL server -- it has to be that way.

But the engineered certificate won't be considered trusted if its whole chain back to the root isn't trusted, and one or more of the certificates in that chain should have been shipped with the browser and hopefully includes a CRL URL.

Although they won't want to, surely the roots should revoke their root certificates that issued MD5-signed certificates, and issue new root certificates for issuing SHA-1-signed certificates. Browsers would then stop trusting all the MD5-signed certificates due to them not having a trusted chain back to the root, assuming they bother to check all the certificates in the chain for revocation.

Of course, this will just make the browsers pop up dialog boxes which everyone will click OK on...

Jasper Bryant-Greene
Network Engineer, Unleash

ddi: +64  3 978 1222
mob: +64 21 129 9458

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]