[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wednesday 31 December 2008 09:43, Neil Williams wrote: > On Wed, 31 Dec 2008 08:38:44 +0000 > > Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx> wrote: > > http://www.theregister.co.uk/2008/12/30/ssl_spoofing/ > > "The vulnerability in the web's SSL system is made possible by a handful > of certificate authorities who continue to rely solely on MD5 to sign > certificates. Even though the number amounts to a tiny fraction of > authorities, all web browsers continue to accept MD5 hashes. The > researchers didn't identify the certificate authorities by name." > > So it's the same story - if everyone used SSL properly, this breakage > would not have been possible. Any system can only be as strong as the > weakest link and some are just bone idle. > > MD5 is known to be weak - supporting it at all is an invitation to > breakage. > > The simplest fix is for browsers to unilaterally drop support for MD5 > hashes on SSL certificates now that MD5-SSL is known to be vulnerable. > > Just what is the point of shouting about 128bit encryption if the > validation of the certificate is using MD5???? In firefox you can choose: use ssl2.0 use ssl3.0 use tsl1.0 which of these allow md5? Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html