[nycbug-talk] [ccc related] MD5 considered harmful today
Isaac Levy
ike at lesmuug.org
Wed Dec 31 18:44:01 EST 2008
On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:
> I think it would be funny if these guys made a real CA cert with their
> exploit and started selling certs signed by their fake key for $2 each
> or something. not illegitimate certs, like, email-contact-verified
> certs, the regular legitimate kind, just cheaper. Why not? It's
> probably even legal in some jurisdiction if not in most. and most
> webmasters just want to turn the browser bar green. It works now, so
> for $2 why not? I'd buy one. If it starts turning browser bars red
> some day, buy a more expensive cert _some day_, not now. The whole
> cert thing was such a racket to begin with, i wish they'd start
> selling fake ones.
Insanely great idea, IMHO- I mean, why not? It's like creating a new
currency (backed by insecurity).
--
Sidenote- everyone here who's dismissed OpenVPN, it almost goes
without saying that this is yet another rock in that bucket...
With that, and SSL/TLS email services, can anybody think of what other
cert/pki applications or protocols are at risk?
Rocket-
.ike
More information about the talk
mailing list