D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] ssl cracked

 

On Wednesday 31 December 2008 09:43, Neil Williams wrote:
> On Wed, 31 Dec 2008 08:38:44 +0000
>
> Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx> wrote:
> > http://www.theregister.co.uk/2008/12/30/ssl_spoofing/
>
> "The vulnerability in the web's SSL system is made possible by a handful
> of certificate authorities who continue to rely solely on MD5 to sign
> certificates. Even though the number amounts to a tiny fraction of
> authorities, all web browsers continue to accept MD5 hashes. The
> researchers didn't identify the certificate authorities by name."
>
> So it's the same story - if everyone used SSL properly, this breakage
> would not have been possible. Any system can only be as strong as the
> weakest link and some are just bone idle.
>
> MD5 is known to be weak - supporting it at all is an invitation to
> breakage.
>
> The simplest fix is for browsers to unilaterally drop support for MD5
> hashes on SSL certificates now that MD5-SSL is known to be vulnerable.
>
> Just what is the point of shouting about 128bit encryption if the
> validation of the certificate is using MD5????
In firefox you can choose:
use ssl2.0
use ssl3.0
use tsl1.0
which of these allow md5?
Tom te tom te tom


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html