Tuesday, December 30, 2008

Forged CAs

Update #1 - Jan 2nd, 2009

It looks like Versign has fixed it (or at least thinks it has) ...

https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

Reading between the lines, they've tweaked their cert issuing backend so that vulnerable certs cannot be issued. In other words, what the Clever White Hats originally did was get a website cert and then turn it into a root cert, and Verisign has changed their procedures so that vulnerable certs can no longer be issued.

This is called a work-around, as opposed to a true fix, but it's probably good enough.

We'll continue to monitor the situation, but I think all is well.

Cheers

Roger


Hi folks,

One of the most interesting developments in the last few weeks came at the 25c3 conference. The nub of the matter is that some really clever researchers have figured out how to break SSL. In other words, if this stuff was to become widespread, you couldn't trust a website anymore that was offering an https connection.

This would suck for the web in general, except that it's hard to duplicate. What this means is that it probably falls into the category of "This will be really bad if it ever happens, but it's by no means certain to happen."

I don't think there are any easy fixes for this, and we'll just have to watch to see how it unfolds.

I'm just glad it's at least hard to duplicate.

Cheers

Roger

1 comment:

Anonymous said...

I think you have misinterpreted the seriousness of this hack. This hack, if successfully done by black hats, puts them in the position to generate a valid SSL certificate for any website of their choice, over and over again.

Lex