[110304] in North American Network Operators' Group
RE: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Deepak Jain)
Fri Jan 2 15:49:47 2009
From: Deepak Jain <deepak@ai.net>
To: Jasper Bryant-Greene <jasper@unleash.co.nz>, "Steven M. Bellovin"
<smb@cs.columbia.edu>
Date: Fri, 2 Jan 2009 15:49:24 -0500
In-Reply-To: <8B0CF863-02FA-4580-8E2E-3D7A8DFBB8BF@unleash.co.nz>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> Of course, this will just make the browsers pop up dialog boxes which
> everyone will click OK on...
>=20
And brings us to an even more interesting question, since everything is tru=
sting their in-browser root CAs and such. How trustable is the auto-update =
process? If one does provoke
a mass-revocation of certificates and everyone needs to update their browse=
rs... how do the
auto-update daemons *know* that what they are getting is the real deal?=20
[I haven't looked into this, just bringing it up. I'm almost certain its le=
ss secure than the joke that is SSL certification].
Happy New Year!
Deepak
