[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote: > On Wed, 31 Dec 2008 08:38:44 +0000 > Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx> wrote: > > >> http://www.theregister.co.uk/2008/12/30/ssl_spoofing/ >> > > "The vulnerability in the web's SSL system is made possible by a handful > of certificate authorities who continue to rely solely on MD5 to sign > certificates. Even though the number amounts to a tiny fraction of > authorities, all web browsers continue to accept MD5 hashes. The > researchers didn't identify the certificate authorities by name." > Presumably they were afraid that if they did those CAs would sue to prevent publication. As has happened in other cases involving "security" products which have been found to be easy to subvert. > So it's the same story - if everyone used SSL properly, this breakage > Problem is that not everyone can agree what is "properly". As was indicated by Firefox 3 changing the way in which it handled self signed certificates. > would not have been possible. Any system can only be as strong as the > weakest link and some are just bone idle. > Sometimes the weakest link can be very weak indeed.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html