|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Ptacek (tqbf
matasano.com)
Date: Tue Dec 30 2008 - 13:18:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
So now that the details are (mostly) out, can you tell us who did
what? Jeremy and I have think the RapidSSL serial number was you.
On Tue, Dec 30, 2008 at 10:52 AM, Alexander Sotirov <alexsotirov.net> wrote:
> Our research team, consisting of 7 researchers from the United States,
> Switzerland and the Netherlands, was able to execute a practical MD5 collision
> attack and create a rogue Certification Authority trusted by all common web
> browsers. This allows us to perform transparent man-in-the-middle attacks
> against SSL connections and monitor or tamper with the traffic to secure
> websites or email servers.
>
> The infrastructure of Certification Authorities is meant to prevent exactly
> this type of attack. Our work shows that known weaknesses in the MD5 hash
> function can be exploited in realistic attack, due to the fact that even after
> years of warnings about the lack of security of MD5, some root CAs are still
> using this broken hash function.
>
> More details:
> http://www.phreedom.org/research/rogue-ca/
>
> Enjoy!
>
> Alex
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]