[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, 31 Dec 2008 08:38:44 +0000 Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx> wrote: > http://www.theregister.co.uk/2008/12/30/ssl_spoofing/ "The vulnerability in the web's SSL system is made possible by a handful of certificate authorities who continue to rely solely on MD5 to sign certificates. Even though the number amounts to a tiny fraction of authorities, all web browsers continue to accept MD5 hashes. The researchers didn't identify the certificate authorities by name." So it's the same story - if everyone used SSL properly, this breakage would not have been possible. Any system can only be as strong as the weakest link and some are just bone idle. MD5 is known to be weak - supporting it at all is an invitation to breakage. The simplest fix is for browsers to unilaterally drop support for MD5 hashes on SSL certificates now that MD5-SSL is known to be vulnerable. Just what is the point of shouting about 128bit encryption if the validation of the certificate is using MD5???? -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpjLBjPxA4c8.pgp
Description: PGP signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html