[110290] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Jan 2 11:00:53 2009
From: Joe Abley <jabley@hopcount.ca>
To: Rodrick Brown <rodrick.brown@gmail.com>
In-Reply-To: <bb075cdf0901020604n388729e6w9c6da4e5b54f1b2b@mail.gmail.com>
Date: Fri, 2 Jan 2009 11:00:34 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 2009-01-02, at 09:04, Rodrick Brown wrote:
> A team of security researchers and academics has broken a core piece
> of Internet technology. They made their work public at the 25th Chaos
> Communication Congress in Berlin today. The team was able to create a
> rogue certificate authority and use it to issue valid SSL certificates
> for any site they want. The user would have no indication that their
> HTTPS connection was being monitored/modified.
I read a comment somewhere else that while this is interesting, and
good work, and well done, in practice it's much easier to social-
engineer a certificate with a stolen credit card from a real CA than
it is to create a fake CA.
(I'd give proper attribution if I could remember who it was, but it
put things into perspective for me at the time so I thought I'd share.)
Joe
