[110294] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jan 2 11:44:44 2009
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: Your message of "Fri, 02 Jan 2009 09:58:05 CST."
<200901021558.n02Fw5bs040941@aurora.sol.net>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 02 Jan 2009 11:44:33 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1230914673_3517P
Content-Type: text/plain; charset=us-ascii
On Fri, 02 Jan 2009 09:58:05 CST, Joe Greco said:
> Anyways, I was under the impression that the whole purpose of the
> revocation capabilities of SSL was to deal with problems like this, and
> that a large part of the justification of the cost of an SSL certificate
> was the administrative burden associated with guaranteeing and maintaining
> the security of the chain.
What percentage of deployed browsers handle CRL's correctly?
Consider this snippet from the phreedom.org page (section 6.1):
"One interesting observation from our work is that the rogue certificate we
have created is very hard to revoke using the revocation mechanism available in
common browsers. There are two protocols for certificate revocation, CRL and
OSCP. Until Firefox 3 and IE 7, certificate revocation was disabled by default.
Even in the latest versions, the browsers rely on the certificate to include a
URL pointing to a revocation server. Our rogue CA certificate had very limited
space and it was impossible to include such a URL, which means that by default
both Internet Explorer and Firefox are unable to find a revocation server to
check our certificate against."
Hmm... so basically all deployed FireFox and IE either don't even try to do
a CRL, or they ask the dodgy certificate "Who can I ask if you're dodgy?"
What's wrong with this picture? (Personally, I consider this a potentially
bigger problem than the MD5 issue...)
--==_Exmh_1230914673_3517P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFJXkRxcC3lWbTT17ARAsRJAKDo+y7NHqJHr8cLJGPiQn4RT9DMqwCfW289
gCuwX2fDYb4Htf9ohw3zUTA=
=LWKs
-----END PGP SIGNATURE-----
--==_Exmh_1230914673_3517P--
