jducoeur: (Default)
[personal profile] jducoeur
Serious Internet geeks may want to take a look at this article in Ars Technica.

Summary: it's been known for a while that the MD5 hash algorithm is a bit weak. Some researchers have used this weakness to create a *really* horrible hack, allowing them to impersonate a major top-level Certificate Authority for cert-signing purposes. They're not saying exactly how the hack works, but the implication is that hackers (using this and other known techniques) could use this to more or less completely impersonate major secure sites, so that users would have no way of knowing that they're talking to a forgery. Very, very, *very* bad.

Moral of the story is that, if you're using MD5 for anything really important, it may be time to move on to better algorithms. With any luck, this will spur all the CAs to do so -- certainly, I would hope that any financial institution would be putting the thumbscrews on its CAs to do so quickly...

(no subject)

Date: 2008-12-31 06:39 pm (UTC)
dsrtao: dsr as a LEGO minifig (Default)
From: [personal profile] dsrtao
http://www.win.tue.nl/hashclash/rogue-ca/ is the full writeup.

Basically, the next release of every browser is going to stop accepting MD5 SSL certificates. Until then, SSL certificates aren't worth very much. At least two major CAs -- Geotrust and GTE CyberTrust -- have been issuing loads of MD5 certs. They're going to go through a major re-issuance phase, or else be laughed at when they try to downplay the significance of the breach.

Depends

Date: 2009-01-01 01:29 pm (UTC)
From: [identity profile] metageek.livejournal.com
Until then, SSL certificates aren't worth very much.

Depends on the value of what they're protecting. I doubt anybody's going to spend $80K on hardware to crack the cert on my IMAP server.

(Not that I'm using MD5, mind you. I'm self-signed, since I have a userbase of two, so I can generate whatever I want.)


(no subject)

Date: 2009-01-01 03:10 am (UTC)
From: [identity profile] sichling.livejournal.com
MD5 hasn't been considered secure for years - at least for developing new protocols in the IETF. All hashes eventually become insecure (with increasing compute speed). This is why it is critical to have easy mechanisms for changing algorithms & identifying them.

Thanks...that was fun!

Date: 2009-01-02 06:01 pm (UTC)
From: [identity profile] malvinareynolds.livejournal.com
Delving into security at work, and am being amazed at how laugh-out-loud funny this subject can be! I knew, for certain for sure, that absolutely everything could be found on deh intertubes when I found the tutorial on digital certificates done as Finger Puppet Theater. Egads...

-N

Profile

jducoeur: (Default)
jducoeur

June 2025

S M T W T F S
12 34567
891011121314
15161718192021
22232425262728
2930     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags