Home page logo

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: "Dorn Hetzel" <dhetzel () gmail com>
Date: Sat, 3 Jan 2009 09:38:10 -0500

Would using the combination of both MD5 and SHA-1 raise the computational
bar enough for now, or are there other good prospects for a harder to crack

On Sat, Jan 3, 2009 at 9:35 AM, William Warren <
hescominsoon () emmanuelcomputerconsulting com> wrote:

Dragos Ruiu wrote:

On 2-Jan-09, at 9:56 AM, Robert Mathews (OSIA) wrote:

 Joe Greco wrote:

[ ....  ]

Either we take the potential for transparent MitM attacks seriously, or
we do not.  I'm sure the NSA would prefer "not."  :-)

As for the points raised in your message, yes, there are additional
problems with clients that have not taken this seriously.  It is,
one thing to have locks on your door that you do not lock, and another
thing entirely not to have locks (and therefore completely lack the
ability to lock).  I hope that there is some serious thought going on in
the browser groups about this sort of issue.

[ ... ]

... JG

F Y I, see:

SSL Blacklist 4.0 - for a Firefox extension able to detect 'bad'
certificates @


Snort rule to detect said...

url: http://vrt-sourcefire.blogspot.com/2009/01/md5-actually-harmful.html

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Weak SSL
OSCP response -- MD5 usage"; content:"content-type:
application/ocsp-response"; content:"2A 86 48 86 F7 0D 01 01 05"; metadata:
policy security-ips drop, service http; reference: url,
www.win.tue.nl/hashclash/rogue-ca/; classtype: policy-violation;


World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada  March 16-20 2009  http://cansecwest.com
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

 Everyone seems to be stampeding to SHA-1..yet it was broken in 2005.  So
we trade MD5 for SHA-1?  This makes no sense.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]