[nycbug-talk] [ccc related] MD5 considered harmful today

Miles Nordin carton at Ivy.NET
Tue Jan 6 07:19:44 EST 2009

>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    il> everyone here who's dismissed OpenVPN, it almost goes without
    il> saying that this is yet another rock in that bucket...

what?  I've never used openvpn, but does it even use the signatures at
all, or do you point to the whole key?  Even if it uses signatures,
the attack depends on getting a specially-crafted RSA key with
collision blocks in it signed by the CA.  VPN setups generally do not
use public CA's nor auto-signing CA's so this particular practical
attack isn't relevant.  though the advice use SHA-1 or SHA-2 instead
still applies, that's not a rock because I'm sure you can follo wthat
advice with openvpn if you want to.

I'm not an openvpn fan, nor an x.509/asn/taxonomy-of-everything fan,
but it's worth undrestanding the attack better than ``anything
containing x.509 is no longer trustworthy!''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090106/722892de/attachment.bin>

More information about the talk mailing list