Researchers Show How to Forge Site Certificates |
David G. Koontz
david_koontz at xtra.co.nz
Tue Dec 30 14:25:04 EST 2008
http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-site-certificates
By Ed Felten - Posted on December 30th, 2008 at 11:18 am
Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov,
Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David
Molnar) announced that they have found a way to forge website certificates
that will be accepted as valid by most browsers. This means that they can
successfully impersonate any website, even for secure connections.
---
Through the use of MD5 collisions. The slides from the presentation are
available here:
http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html
The presentation entitled "MD5 considered harmful today, Creating a rogue CA
Certificate"
The collisions were found with a cluster of 200 PlayStation 3's. (slide
number 3, see slide number 25 for a picture of the cluster, a collision
taking one to two days)
They apparently did a live demo using forged certificates in a man in the
middle attack using a wireless network during the demonstration with access
by the audience. (slide number 5)
CAs still using MD5 in 2008: (slide number 19)
? RapidSSL
? FreeSSL
? TrustCenter
? RSA Data Security
? Thawte
? verisign.co.jp
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list