[GTER] Na C3 hoje - MD5 break - Rogue CA

Nelson Murilo nelson at pangeia.com.br
Tue Dec 30 14:55:09 -02 2008

Ola Fred,

so pra reforcar, o problema ai e´ o MD5 e nao o SSL. 

O MD5 esta´ quebrado desde 2004 [1], pelo menos disto 2008 nao tem culpa. 

Feliz 2010 pra todos 

./nelson -murilo - http://naopod.com

[1] - http://www.cryptography.com/cnews/hash.html

On Tue, Dec 30, 2008 at 02:27:12PM -0200, Frederico A C Neves wrote:
> Se alguém ainda confia nos argumentos que os atuais certificados SSL
> tornam DNSSEC desnecessário, leia o artigo que saiu na C3 hoje.
> http://www.win.tue.nl/hashclash/rogue-ca/
> "MD5 considered harmful today
> Creating a rogue CA certificate
> December 30, 2008
> Alexander Sotirov, Marc Stevens,
> Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de
> Weger
> We have identified a vulnerability in the Internet Public Key
> Infrastructure (PKI) used to issue digital certificates for secure
> websites. As a proof of concept we executed a practical attack
> scenario and successfully created a rogue Certification Authority (CA)
> certificate trusted by all common web browsers. This certificate
> allows us to impersonate any website on the Internet, including
> banking and e-commerce sites secured using the HTTPS protocol.
> Our attack takes advantage of a weakness in the MD5 cryptographic hash
> function that allows the construction of different messages with the
> same MD5 hash. This is known as an MD5 "collision". Previous work on
> MD5 collisions between 2004 and 2007 showed that the use of this hash
> function in digital signatures can lead to theoretical attack
> scenarios. Our current work proves that at least one attack scenario
> can be exploited in practice, thus exposing the security
> infrastructure of the web to realistic threats."
> Não poderia ser um final pior para um 2008 tenebroso.... que 2009 seja
> melhor, feliz ano novo para todos.
> []s
> Fred
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter

More information about the gter mailing list