mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 2 Jan 2009 17:45:56 -0500
On Fri, 2 Jan 2009 16:13:45 -0500
Deepak Jain <deepak () ai net> wrote:
If done properly, that's actually an easier task: you build the
update key into the browser. When it pulls in an update, it
verifies that it was signed with the proper key.
If you build it into the browser, how do you revoke it when someone
throws 2000 PS3s to crack it, or your hash, or your [pick algorithmic
If you use bad crypto, you lose no matter what. If you use good
crypto, 2,000,000,000 PS3s won't do the job.
--Steve Bellovin, http://www.cs.columbia.edu/~smb