You may have heard it, there is a problem with an aspect of SSL - namely MD5 hashes. The practical implication - it's possible for an attacker to "impersonate" a site with what would appear to be a valid https certificate or eavesdrop on the traffic (MiM - Monkey in the Middle). Vulnerabilities in MD5 have been known for years but exploiting this has now been done and demonstrated in public.
The problem and the remedy for rest with the Certificate Authorities (CA) issuing and verifying certificates. The fix is simply to use the SHA1 hashes instead and that is already done in many cases but the problem is that as long as MD5 hashes are accepted is there a risk that a false MD5 hash can be used.
How easy is this to do? Well, it requires some effort - the demonstration in Berlin involved 200 Playstatation3 machines working for a few days. Of course, any kind of computer power can be used for this kind of work, even (and maybe in particular) rough computer power such as hijacked computers forming bot nets.
It's noteworthy that other things relying on SSL, besides https certificates, may be affected such as SSL VPNs.
skip to main |
skip to sidebar
Commentary on issues related to the web and information security.
Blog Archive
-
▼
2009
(24)
-
▼
January
(10)
- Changes in the Web CMS Market
- Amazon Sales - Like a Rocket
- Examining the Case Against Web Apps
- Case Study: My iPhone
- IT Trends 2009
- Windows Infection - Possible Botnet
- What's Different with SaaS?
- iPhone and G1 Driving the Market
- Watch Out with Secure Certificates
- State of the Browser Market - Firefox Hits 20%
-
▼
January
(10)
