[141459] in cryptography@c2.net mail archive
Researchers Show How to Forge Site Certificates |
daemon@ATHENA.MIT.EDU (David G. Koontz)
Tue Dec 30 19:10:05 2008
Date: Wed, 31 Dec 2008 08:25:04 +1300
From: "David G. Koontz" <david_koontz@xtra.co.nz>
To: 'Cryptography' <cryptography@metzdowd.com>
http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-s=
ite-certificates
By Ed Felten - Posted on December 30th, 2008 at 11:18 am
Today at the Chaos Computing Congress, a group of researchers (Alex Sotir=
ov,
Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David
Molnar) announced that they have found a way to forge website certificate=
s
that will be accepted as valid by most browsers. This means that they can=
successfully impersonate any website, even for secure connections.
---
Through the use of MD5 collisions. The slides from the presentation are=
available here:
http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html
The presentation entitled "MD5 considered harmful today, Creating a rogue=
CA
Certificate"
The collisions were found with a cluster of 200 PlayStation 3's. (slide
number 3, see slide number 25 for a picture of the cluster, a collision
taking one to two days)
They apparently did a live demo using forged certificates in a man in the=
middle attack using a wireless network during the demonstration with acce=
ss
by the audience. (slide number 5)
CAs still using MD5 in 2008: (slide number 19)
? RapidSSL
? FreeSSL
? TrustCenter
? RSA Data Security
? Thawte
? verisign.co.jp
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
