Comments on: In 2008 Hackers Broke the Internet

By: ainvictus

ainvictus — Tue, 03 Mar 2009 12:11:41 +0000

security is just as good as the ones using it.

By: Qxts

Qxts — Thu, 15 Jan 2009 13:06:37 +0000

simplicity is errithing
*slanted eyes*

By: Researchers devise undetectable phishing attack | Creative Zone Blog

Researchers devise undetectable phishing attack | Creative Zone Blog — Sat, 03 Jan 2009 11:16:17 +0000

[...] Congress hacker conference, held in Berlin Tuesday, in a talk that has already been the subject of some speculation in the Internet security [...]

By: JustIn

JustIn — Thu, 01 Jan 2009 17:26:56 +0000

http://www.win.tue.nl/hashclash/rogue-ca/

By: pdp

pdp — Wed, 31 Dec 2008 11:04:34 +0000

a system is as secure as the weakest link

By: Janus Cook

Janus Cook — Wed, 31 Dec 2008 10:16:00 +0000

Re: pdp’s “I guess on browser level, this attack can be mitigated to an extend.”

They researched what, 30.000 certificates, of which 9000 were MD5 signed and 97% of those were from RapidSSL.

The really good solution is to urge companies not to use certs from RapidSSL, and for RapidSSL to improve the randomization of their auto generated keys. Which they are doing right NOW, working through new year’s eve, to keep the few customers they had left.

Yes, that’s 270 certificates signed by other CA certs that MIGHT be spoofed. That’s nothing on an internet-wide scale.

The impact of this is wildly overstated, and it ‘breaking the internet’ is quite a bold claim. But then again, that’s been the fad this year, hasn’t it? Announcing internet-breaking techniques, and when push comes to shove, it’s not actually that critical. (Heck, those swedish TCP stack breaking dudes don’t even have anything to show!)

In conclusion, what happened to actually checking the certificate you get sent, before confirming it? It’s been long known that the trust CA certs get is unjustified, and this proves it again. It’s this model that needs to be looked at, not MD5. It’s only a hash, and with enough computerpower collisions in any hash will become apparent. MD5 is old, and has served the world for what it’s worth. It’s been long time to retire this technique, and apparently many certs have.

By: Mark

Mark — Wed, 31 Dec 2008 07:01:01 +0000

Playstation 3s? Interesting choice, but a good way to make a proof of concept. Read up and see its because of the Intel chipset.

By: pdp

pdp — Tue, 30 Dec 2008 18:19:13 +0000

I guess on browser level, this attack can be mitigated to an extend.

By: pdp

pdp — Tue, 30 Dec 2008 15:40:05 +0000

interesting research and impressive result but the Internet will survive.

By: Janus Cook

Janus Cook — Tue, 30 Dec 2008 14:34:14 +0000

Awww. So all they did is create a rogue CA cert.
I guess my cherished gopher is safe :D

By: myname

myname — Tue, 30 Dec 2008 13:33:18 +0000

We’ve changed our previously semi-obscure title of �Making the theoretical possible� to �MD5 considered harmful today: Creating a rogue CA certificate.�
http://ioerror.livejournal.com/

By: Janus Cook

Janus Cook — Tue, 30 Dec 2008 10:53:31 +0000

Oh my. The ENTIRE internet?

I better start backing up my gopher bookmarks then.
*shakes head*

By: pdp

pdp — Tue, 30 Dec 2008 09:09:49 +0000

often things get quite over-hyped without even pushing them. i am sure that the research is great but who knows what it might turn out to be at the end. however, I get the feeling that it wont be related to PKI at all.

By: The Internet is Doomed, Again, For the First Time Since the Last Time… « Amrit Williams Blog

Tue, 30 Dec 2008 06:53:33 +0000

[...] thoughts from others around the blogosphere (here), (here), (here), and (here). I am sure there will be plenty of updates and analysis once the details are disclosed [...]

By: Fabio

Fabio — Tue, 30 Dec 2008 00:02:36 +0000

Errata Security thinks will be “something to do with PKI (public key cryptography)”
http://erratasec.blogspot.com/.....acted.html