[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Tom Potts wrote: > http://www.theregister.co.uk/2008/12/30/ssl_spoofing/ http://www.win.tue.nl/hashclash/rogue-ca/ This link lists the certificate authorities trusted by Firefox that issued MD5 certificates in July 2008. Looks like Equifax RapidSSL is the only one of significance. The owners of Equifax usually have a reissue policy - be interesting to see if it applies here since presumably as soon as the CA's stop issuing MD5 signed certificates the problem goes away (doesn't look like you need to reissue the certificates themselves, just stop issuing new ones). That said the security provided by SSL is pretty limited, since one only needs control administrative emails for a domain for a short period to obtain a valid SSL certificate. So great for ensuring the communication is encrypted from browser to server, but of less value for ensuring the server is who you thought it was. The serious bit is the comments on SHA-1 - since MD5 is a minority thing, but SHA-1 is used everywhere in the SSL architecture. If SHA-1 is bust the bad guys may well start creating their own certificates (rather than relying on others to sign them). -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html