, 2009-01-05
A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.
Expand all |
Post comment
MD5 Hack Interesting, But Not Threatening
2009-01-06
Charlie Miller (1 replies)
Charlie Miller (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-06
Robert Lemos (5 replies)
Robert Lemos (5 replies)
Verisign were notified about this work prior to the presentation
2009-01-06
Alexander Sotirov (1 replies)
Alexander Sotirov (1 replies)
MD5 Hack Interesting, But Not Threatening
2009-01-08
Charles Hunter (1 replies)
Charles Hunter (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-09
Robert Lemos (2 replies)
Robert Lemos (2 replies)
If you're a security company selling a product that makes the claims that Verisign does it is their responsibility to alert their customer base to any exposure, no matter how insignificant, and to give them various options to fix the problem. Let me decide what my exposure should be, not you for my company.
As for the previous post that they may have known but not known. Yes, that very well could have been the case. To that I would say, for a company whose business is fast and secure communications, if you can't keep your own house in order as far as handling information of clientele exposure of this magnitude, why should I trust you to help me with mine?
All of this came on pretty fast (about mid December or so) and Verisign was responsive. Does this excuse them from practicing do diligence and full dis closer with their clients, no.
So again I say, shenanigans...
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/488/35305#35305