MD5 Hack Interesting, But Not Threatening

MD5 Hack Interesting, But Not Threatening
Tim Callan, 2009-01-05

A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.

Expand all | Post comment

MD5 Hack Interesting, But Not Threatening 2009-01-05
Anonymous (1 replies)

Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous

MD5 Hack Interesting, But Not Threatening 2009-01-06
Charlie Miller (1 replies)

Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Robert Lemos (5 replies)

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous (1 replies)

Re: Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-12
Anonymous

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-08
Anonymous

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous

When is it "threatening"? When they post your bank statements as part of the presentation? 2009-01-23
Anonymous

MD5 Hack Interesting, But Not Threatening 2009-01-06
Margot (1 replies)

Re: MD5 Hack Interesting, But Not Threatening 2009-01-07
Anonymous

Verisign were notified about this work prior to the presentation 2009-01-06
Alexander Sotirov (1 replies)

Re: Verisign were notified about this work prior to the presentation 2009-01-07
Ichinin (4 replies)

Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous

Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous

This, and the merger as an excuse for not switching away from MD5, sounds like bad management is the real thread to security here. Corporations working in the security sector cannot afford for a critical bit of information to be floating around the office for weeks prior to getting to the right person(s).

I just imagine the merger of two dairies, with one saying ``Oh, we can only make cheese for the next couple of years, because the new management needs to learn our company culture and that basically halts our operations.''

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/488/35303#35303

Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous

MD5 Hack Interesting, But Not Threatening 2009-01-08
Charles Hunter (1 replies)

Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Robert Lemos (2 replies)

Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Anonymous (1 replies)

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-14
Anonymous

Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-16
Charles Hunter

Hilarious Corporate Spin! How about some real answers? 2009-01-10
Anonymous

MD5 Hack Interesting, But Not Threatening 2009-01-12
xort

MD5 Hack Interesting, But Not Threatening 2009-01-12
Chris Fahey

Serious suggestions welcome... 2009-01-15
Robert Lemos

MD5 Hack Interesting, But Not Threatening 2009-02-02
Jamie