[nycbug-talk] [ccc related] MD5 considered harmful today

dingo dingo at 1984.ws
Wed Dec 31 02:16:27 EST 2008




On Wed, 31 Dec 2008 01:01:38 -0500, "Jesse Callaway" <bonsaime at gmail.com>
wrote:
> On Tue, Dec 30, 2008 at 9:19 PM, Miles Nordin <carton at ivy.net> wrote:
> 
>> >>>>> "cs" == Charles Sprickman <spork at bway.net> writes:
>>
>>    cs> https://www.win.tue.nl/hashclash/rogue-ca/
>>
>> ``Until Firefox 3 and IE 7, certificate revocation was disabled by
>>  default. Even in the latest versions, the browsers rely on the
>>  certificate to include a URL pointing to a revocation server.''
> 
> 
> man that sucks... so even if this issue in the paper is addressed, it
> won't
> matter until the browsers fix the revocation mechanism.
> 

No. It wont matter until everyone stops pretending x509 isn't a
total piece of ass created by monopolies and teclos to profit
off the internet. its all horse shit. certs don't matter.

Give this a read:
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

and the next time you see the heading "MD5 considered harmful" in relation
to x509 certs and ssl, you'll say "Duh."

> 
>>
>>
>> pwaaaahahaha!  rapidssl ist gePWNen!
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
> 
> I'll have to throw in the part that really wowed me... frankly I can
> barely
> wrap my head around the POTS creation of signed certs, but maybe I'm
dumb.
> Too many damn tiers... should rather be based on many peers, but I'll
> write
> the paper up later on this though : )
> 
>
http://www.win.tue.nl/hashclash/rogue-ca/<https://www.win.tue.nl/hashclash/rogue-ca/>:
> "It turned out to be possible to hide [MD5] collision blocks inside
> RSA
> moduli while even assuring the security of the pairs of moduli as being
> both
> products of sufficiently large primes. "
> 
> -jesse



More information about the talk mailing list