[110292] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Gadi Evron)
Fri Jan 2 11:08:58 2009
Date: Fri, 2 Jan 2009 10:08:42 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <A1FA62D5-4499-4749-91C4-C8685FB3FC75@hopcount.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, 2 Jan 2009, Joe Abley wrote:
>
> On 2009-01-02, at 09:04, Rodrick Brown wrote:
>
>> A team of security researchers and academics has broken a core piece
>> of Internet technology. They made their work public at the 25th Chaos
>> Communication Congress in Berlin today. The team was able to create a
>> rogue certificate authority and use it to issue valid SSL certificates
>> for any site they want. The user would have no indication that their
>> HTTPS connection was being monitored/modified.
>
> I read a comment somewhere else that while this is interesting, and good
> work, and well done, in practice it's much easier to social-engineer a
> certificate with a stolen credit card from a real CA than it is to create a
> fake CA.
>
> (I'd give proper attribution if I could remember who it was, but it put
> things into perspective for me at the time so I thought I'd share.)
My facebook status? :P
