Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
MD5 Hack Interesting, But Not Threatening
Tim Callan, 2009-01-05

A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.

Comments Mode:
MD5 Hack Interesting, But Not Threatening 2009-01-05
Anonymous (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-06
Charlie Miller (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Robert Lemos (5 replies)
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous (1 replies)
Re: Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-12
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-08
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
When is it "threatening"? When they post your bank statements as part of the presentation? 2009-01-23
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-06
Margot (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-07
Anonymous
Verisign were notified about this work prior to the presentation 2009-01-06
Alexander Sotirov (1 replies)
Re: Verisign were notified about this work prior to the presentation 2009-01-07
Ichinin (4 replies)
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-08
Charles Hunter (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Robert Lemos (2 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Anonymous (1 replies)
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-14
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-16
Charles Hunter
Hilarious Corporate Spin! How about some real answers? 2009-01-10
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-12
xort
I found this article to be not much more then a waste of space on security focus. I would think someone from verisign would have more since then to say this is not a serious issue. The simple fact of the matter is, there are people out there with the computational power to successfully recreate attacks such as this with great ease. Think foreign governments and botnet owners - the kind of people you don't want exploiting flaws like this at all. The US Gov and other gov's have long been known to have been exploiting ssl cert authentications for uploading code to peoples browsers during attacks. Think - what certs come default as trusted in windows *wink*. This past year has seen a rise in discovery of older flaws that have long affected our Internet's infrastructure. This and Dan (I-worked-on-dns-all-my-life-and-finally-found-a-bug) kaminsky's DNS flaw are prime examples of this. These flaws need to be taken more seriously despite what some idiot with a blog thinks.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/488/35315#35315
MD5 Hack Interesting, But Not Threatening 2009-01-12
Chris Fahey
Serious suggestions welcome... 2009-01-15
Robert Lemos
MD5 Hack Interesting, But Not Threatening 2009-02-02
Jamie







 

Privacy Statement
Copyright 2009, SecurityFocus