[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 10:37:16 CST 2008


On Wed, Dec 31, 2008 at 8:32 AM, Ralph J.Mayer <rmayer at vinotech.de> wrote:
>> Again, this isn't correct. If the CCC team ever starts issuing false
>> certificates
>
> They just presented their talk at the Congress, they are not part of the
> CCC.

Fair enough. I was just too lazy to type all their names.


>> for real, the browser manufacturers will just blacklist it. It's really quite
>> straightforward.
>
> That's NOT the problem.
>
> What they showed is:
> - predictable serialnumbers suck
> - MD5 is weak enough to find a useable collision within a few days on a
>  a cluster of 200 PS3s (if you dont own that much PS3s, go to Amazon
>  EC2)

> The weakness of MD5 is known since 2004! So they proofed, that this
> attack not only works in theorie.

Yes, I agree with this.


> There are too many certificates out there that rely on MD5 and they
> should be replaced asap since you can not trust them anymore.

I sort of agree with this. Remember that this is a collision attack, so
it's only useful to the extent to which CAs continue to issue certificates
with MD5. My understanding is that all the remaining such CAs are
phasing it out *very* quickly if they haven't already done so.

-Ekr


More information about the Security mailing list