[110298] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Jan 2 12:39:44 2009
From: Joe Abley <jabley@hopcount.ca>
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: <200901021733.n02HXnAN047547@aurora.sol.net>
Date: Fri, 2 Jan 2009 12:39:30 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 2 Jan 2009, at 12:33, Joe Greco wrote:
> We cannot continue to justify security failure on the basis that a
> significant percentage of the clients don't support it, or are
> broken in
> their support. That's an argument for fixing the clients.
At a more basic level, though, isn't failure guaranteed for these kind
of clients (web browsers) so long as users are conditioned to click OK/
Continue for every SSL certificate failure that is reported to them?
If I was attempting a large-scale man-in-the-middle attack, perhaps
I'd be happier to do no work and intercept 5% of sessions (those who
click OK on a certificate that is clearly bogus) than I would to do an
enormous amount of work and intercept 100% (those who would see no
warnings). And surely 5% is a massive under-estimate.
Joe
