[nycbug-talk] [ccc related] MD5 considered harmful today

Isaac Levy ike at lesmuug.org
Wed Dec 31 18:44:01 EST 2008

On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:

> I think it would be funny if these guys made a real CA cert with their
> exploit and started selling certs signed by their fake key for $2 each
> or something.  not illegitimate certs, like, email-contact-verified
> certs, the regular legitimate kind, just cheaper.  Why not?  It's
> probably even legal in some jurisdiction if not in most.  and most
> webmasters just want to turn the browser bar green.  It works now, so
> for $2 why not?  I'd buy one.  If it starts turning browser bars red
> some day, buy a more expensive cert _some day_, not now. The whole
> cert thing was such a racket to begin with, i wish they'd start
> selling fake ones.

Insanely great idea, IMHO- I mean, why not?  It's like creating a new  
currency (backed by insecurity).

Sidenote- everyone here who's dismissed OpenVPN, it almost goes  
without saying that this is yet another rock in that bucket...

With that, and SSL/TLS email services, can anybody think of what other  
cert/pki applications or protocols are at risk?


More information about the talk mailing list