Sloth Posted December 30, 2008 Posted December 30, 2008 If you missed the amazing live streaming lecture from the 25th Chaos Communication Congress in Berlin this morning you really missed out on a great presentation. Never fear though the paper from Alexander Sotirov & associates has already surfaced on the interweb. The paper outlines the full attack (minus some critical reproduction info) of how one would go about creating and using a rogue CA certificate, that theoretically could cripple the internet and cause global user panic (ok maybe i'm being a bit to dramatic, but still). Yes i know this sort of attack has been theory for sometime but now it has been POCed (talk about one hell of a man in the middle attack). Oh well enough of my senseless babel.....on to the link: http://www.win.tue.nl/hashclash/rogue-ca/ Hope you all enjoy this paper as much as myself :) -Sloth Quote
Sparda Posted December 30, 2008 Posted December 30, 2008 If you missed the amazing live streaming lecture from the 25th Chaos Communication Congress in Berlin this morning you really missed out on a great presentation. Never fear though the paper from Alexander Sotirov & associates has already surfaced on the interweb. The paper outlines the full attack (minus some critical reproduction info) of how one would go about creating and using a rogue CA certificate, that theoretically could cripple the internet and cause global user panic (ok maybe i'm being a bit to dramatic, but still). Yes i know this sort of attack has been theory for sometime but now it has been POCed (talk about one hell of a man in the middle attack). Oh well enough of my senseless babel.....on to the link: http://www.win.tue.nl/hashclash/rogue-ca/ Hope you all enjoy this paper as much as myself :) -Sloth I'd class this as myth unless demoed. Quote
Sloth Posted December 30, 2008 Author Posted December 30, 2008 I'd class this as myth unless demoed. it was this morning at 9:15am est @ 25c3 in Berlin lol.... and a bit more proof for ya mate hope that helps you classify this a bit more correctly Security Alerts: http://www.microsoft.com/technet/security/...ory/961509.mspx http://blog.mozilla.com/security/2008/12/3...ficate-forgery/ Wired news article: http://blog.wired.com/27bstroke6/2008/12/berlin.html Quote
stingwray Posted January 2, 2009 Posted January 2, 2009 Excellent talk, it was demo'd and works brilliantly, PoC certificate is back dated to prevent any misuse and hopefully will be blacklisted by the browsers soon. Although the collisions in MD5 make the attack predicable, if CAs use random serial numbers and generation times then its unlikely to be seen in the wild until MD5 is further broken down, hopefully giving time for more Certificates to move to SHA. Quote
H@L0_F00 Posted January 3, 2009 Posted January 3, 2009 MD5 SSL singed certs are history... http://hackaday.com/2008/12/30/25c3-hacker...using-200-ps3s/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.