In 2008 Hackers Broke the Internet

Twice! First it was Dan Kaminsky and now it is Jacob Appelbaum and Alexander Sotirov. I am quite interested to get further details of their research titled Making the theoretical possible which should take place tomorrow at this year’s CCC event.

Their proposal is heavily censored but based on what I’ve read so far, my feeling is that they will be talking about breaking a routing protocol, perhaps BGP. It just makes sense and I can already see what they might have in mind. I also think that the attack will be simple as hell but enormously impressive.

All in all, good stuff!

Comments

Fabio responds:

Errata Security thinks will be “something to do with PKI (public key cryptography)”
http://erratasec.blogspot.com/.....acted.html

pdp responds:

often things get quite over-hyped without even pushing them. i am sure that the research is great but who knows what it might turn out to be at the end. however, I get the feeling that it wont be related to PKI at all.

Janus Cook responds:

Oh my. The ENTIRE internet?

I better start backing up my gopher bookmarks then.
*shakes head*

myname responds:

We’ve changed our previously semi-obscure title of �Making the theoretical possible� to �MD5 considered harmful today: Creating a rogue CA certificate.�
http://ioerror.livejournal.com/

Janus Cook responds:

Awww. So all they did is create a rogue CA cert.
I guess my cherished gopher is safe :D

pdp responds:

interesting research and impressive result but the Internet will survive.

pdp responds:

I guess on browser level, this attack can be mitigated to an extend.

Mark responds:

Playstation 3s? Interesting choice, but a good way to make a proof of concept. Read up and see its because of the Intel chipset.

Janus Cook responds:

Re: pdp’s “I guess on browser level, this attack can be mitigated to an extend.”

They researched what, 30.000 certificates, of which 9000 were MD5 signed and 97% of those were from RapidSSL.

The really good solution is to urge companies not to use certs from RapidSSL, and for RapidSSL to improve the randomization of their auto generated keys. Which they are doing right NOW, working through new year’s eve, to keep the few customers they had left.

Yes, that’s 270 certificates signed by other CA certs that MIGHT be spoofed. That’s nothing on an internet-wide scale.

The impact of this is wildly overstated, and it ‘breaking the internet’ is quite a bold claim. But then again, that’s been the fad this year, hasn’t it? Announcing internet-breaking techniques, and when push comes to shove, it’s not actually that critical. (Heck, those swedish TCP stack breaking dudes don’t even have anything to show!)

In conclusion, what happened to actually checking the certificate you get sent, before confirming it? It’s been long known that the trust CA certs get is unjustified, and this proves it again. It’s this model that needs to be looked at, not MD5. It’s only a hash, and with enough computerpower collisions in any hash will become apparent. MD5 is old, and has served the world for what it’s worth. It’s been long time to retire this technique, and apparently many certs have.

pdp responds:

a system is as secure as the weakest link

Qxts responds:

simplicity is errithing
*slanted eyes*

ainvictus responds:

security is just as good as the ones using it.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation