[nycbug-talk] [ccc related] MD5 considered harmful today
dingo
dingo at 1984.ws
Wed Dec 31 02:16:27 EST 2008
On Wed, 31 Dec 2008 01:01:38 -0500, "Jesse Callaway" <bonsaime at gmail.com>
wrote:
> On Tue, Dec 30, 2008 at 9:19 PM, Miles Nordin <carton at ivy.net> wrote:
>
>> >>>>> "cs" == Charles Sprickman <spork at bway.net> writes:
>>
>> cs> https://www.win.tue.nl/hashclash/rogue-ca/
>>
>> ``Until Firefox 3 and IE 7, certificate revocation was disabled by
>> default. Even in the latest versions, the browsers rely on the
>> certificate to include a URL pointing to a revocation server.''
>
>
> man that sucks... so even if this issue in the paper is addressed, it
> won't
> matter until the browsers fix the revocation mechanism.
>
No. It wont matter until everyone stops pretending x509 isn't a
total piece of ass created by monopolies and teclos to profit
off the internet. its all horse shit. certs don't matter.
Give this a read:
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
and the next time you see the heading "MD5 considered harmful" in relation
to x509 certs and ssl, you'll say "Duh."
>
>>
>>
>> pwaaaahahaha! rapidssl ist gePWNen!
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
>
> I'll have to throw in the part that really wowed me... frankly I can
> barely
> wrap my head around the POTS creation of signed certs, but maybe I'm
dumb.
> Too many damn tiers... should rather be based on many peers, but I'll
> write
> the paper up later on this though : )
>
>
http://www.win.tue.nl/hashclash/rogue-ca/<https://www.win.tue.nl/hashclash/rogue-ca/>:
> "It turned out to be possible to hide [MD5] collision blocks inside
> RSA
> moduli while even assuring the security of the pairs of moduli as being
> both
> products of sufficiently large primes. "
>
> -jesse
More information about the talk
mailing list