From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Tue Dec 30 2008 - 18:51:05 ARST
... or at least that is how I interpret this scientific paper:
http://www.win.tue.nl/hashclash/rogue-ca/#sec1
For several years, I have been telling people (mostly students :) )
that "Yes, MD5 has vulnerabilities. Yes, we should move away from MD5.
But no, MD5 has not been cracked yet - not in the sense of <finding
collisions for a chosen text, such as a digital certificate>".
Well, that last step (a real-world attack based on the
vulnerabilities of MD5) has just been performed. The researchers managed
to create a fake certificate that is accepted by a browser as being
signed by a commercial CA. Furthermore, this certificate is an
_intermediate CA cert_ - which means that all certificates generated by
it will also be accepted as valid by web browsers. A very powerful (and
extremely scary) proof of concept!
Sorry if this is slightly OT, but I believe it really is something
that us networkers should be aware of (even if not working specifically
in the security field).
-- Bogdan Sass CCNP,CCSP,JNCIA-ER,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat"Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST