Re: [Full-disclosure] Creating a rogue CA certificate
- From: "fd throwaway" <fd.throwaway@xxxxxxxxx>
- Date: Wed, 31 Dec 2008 07:41:23 -0500
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[*mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx*<full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]On Behalf
Of jlay@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, December 30, 2008 3:17 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Creating a rogue CA certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SSL/PKI is only as strong as the weakest CA...
For those of you who haven't been following this, here you go:
*http://www.win.tue.nl/hashclash/rogue-ca/*<http://www.win.tue.nl/hashclash/rogue-ca/>
*http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt*<http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt>
Enjoy and Happy New Years!
elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at
*https://www.hushtools.com/verify* <https://www.hushtools.com/verify>
wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbcN
R0q1BL+WmbiGNglujzSWHqMSkn20r12itVfGP77nEbGYbjidV1BXxFNR2QQwLHZhGLWe
gVO/5Zg=
=+Pm+
-----END PGP SIGNATURE-----
--
Click for free info on getting an MBA, $200K/ year potential.
*http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I*<http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I>
6KbhlC0IDsYiG8/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: *http://lists.grok.org.uk/full-disclosure-charter.html*<http://lists.grok.org.uk/full-disclosure-charter.html>
Hosted and sponsored by Secunia - *http://secunia.com/*<http://secunia.com/>
From Microsoft:
*http://www.microsoft.com/technet/security/advisory/961509.mspx*<http://www.microsoft.com/technet/security/advisory/961509.mspx>
"Microsoft is not aware of specific attacks against MD5, so
previously issued certificates that were signed using MD5 are
not affected and do not need to be revoked. This issue only
affects certificates being signed using MD5 after the
publication of the attack method."
I take it the above is incorrect?
James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: *http://lists.grok.org.uk/full-disclosure-charter.html*<http://lists.grok.org.uk/full-disclosure-charter.html>
Hosted and sponsored by Secunia - *http://secunia.com/*<http://secunia.com/>
No it is correct because the attack creates a new CA from the compromised
cert which is then used to sign certs, it doesn't involve copying the
signatures of certs that already have been signed by legit CAs with the
exception of the one that is used to create the rogue CA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Penetration testing will be dead by 2009 - Mr. Chess
- Previous by thread: Re: [Full-disclosure] Creating a rogue CA certificate
- Next by thread: [Full-disclosure] Penetration testing will be dead by 2009 - Mr. Chess
- Index(es):
Relevant Pages
|
