Home page logo
/

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: Nick Hilliard <nick () foobar org>
Date: Sat, 03 Jan 2009 18:41:52 +0000

Christopher Morrow wrote:
This is a function of an upgrade (firefox3.5 coming 'soon!') for
browsers, and for OS's as well, yes? So, given a future flag-day (18
months from today no more MD5, only SHA-232323 will be used!!)
browsers for the majority of the market could be upgraded. Certainly
there are non-browsers out there (eudora, openssl, wget,
curl..bittorrent-clients, embedded things) which either will lag more
or break all together.

I think you might be downplaying the size of the problem here.  X.509 and
TLS/SSL isn't just used for browsers, but for a wide variety of places
where there is a requirement for PKI based security.  So when you talk
about a flag day for dealing with SHA-X (where X != 1), have you considered
the logistical problems of upgrading all those embedded devices around the
world?  The credit card terminals?  The tiny CPE vpn units?  The old
machine in the corner which handles corporate sign-on, where the vendor has
now gone bust and no-one has the source code.  And the large web portal
which had a whole bunch of local apache customisations based on apache
1.3.x and where the original developers left for greener pa$ture$, and
no-one in-house really understands what they did any longer.  Etc, etc.

It's different if you have a protocol which allows parameter negotiation to
deal with issues like this, but not so good when you don't.

Nick


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault