Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
MD5 Hack Interesting, But Not Threatening
Tim Callan, 2009-01-05

A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.

Comments Mode:
MD5 Hack Interesting, But Not Threatening 2009-01-05
Anonymous (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-06
Charlie Miller (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Robert Lemos (5 replies)
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous (1 replies)
Re: Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-12
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-08
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
When is it "threatening"? When they post your bank statements as part of the presentation? 2009-01-23
Anonymous
Robert,

The problem is that the only appropriate title for the article would be something like "Verisign's response to SSL Cert issue", NOT "Interesting, but not threatening."

The title of the author is also relevant - this guy's JOB is damage control.

An official response is one thing. Something trying to pass as a technical explanation, when it's really not at all, is another.

No one in their right mind can downplay this one to "interesting, but not threatening." By publishing this, you exasperate the problems researchers have been dealing with since the birth of the internet. Chris Wysopal's latest column goes over this in more detail.

What exactly has to happen for a hack to be considered threatening? These guys have a certificate that, other than them intentionally invalidating it by expiring it in 2004, undermines the infrastructure put in place to prevent undetectable attacks against web activity, such as online banking.

Do they need a bank statement showing a withdrawal of your money before we call it threatening?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/488/35344#35344
MD5 Hack Interesting, But Not Threatening 2009-01-06
Margot (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-07
Anonymous
Verisign were notified about this work prior to the presentation 2009-01-06
Alexander Sotirov (1 replies)
Re: Verisign were notified about this work prior to the presentation 2009-01-07
Ichinin (4 replies)
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-08
Charles Hunter (1 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Robert Lemos (2 replies)
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Anonymous (1 replies)
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-14
Anonymous
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-16
Charles Hunter
Hilarious Corporate Spin! How about some real answers? 2009-01-10
Anonymous
MD5 Hack Interesting, But Not Threatening 2009-01-12
xort
MD5 Hack Interesting, But Not Threatening 2009-01-12
Chris Fahey
Serious suggestions welcome... 2009-01-15
Robert Lemos
MD5 Hack Interesting, But Not Threatening 2009-02-02
Jamie







 

Privacy Statement
Copyright 2009, SecurityFocus