A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certificates
for any site they want. The user would have no indication that their
HTTPS connection was being monitored/modified.
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/
http://phreedom.org/research/rogue-ca/
I read a comment somewhere else that while this is interesting, and good work, and well done, in practice it's much easier to social-engineer a certificate with a stolen credit card from a real CA than it is to create a fake CA.
(I'd give proper attribution if I could remember who it was, but it put things into perspective for me at the time so I thought I'd share.)
Joe
Joe Abley wrote:
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certificates
for any site they want. The user would have no indication that their
HTTPS connection was being monitored/modified.
I read a comment somewhere else that while this is interesting, and good
work, and well done, in practice it's much easier to social-engineer a
certificate with a stolen credit card from a real CA than it is to
create a fake CA.
(I'd give proper attribution if I could remember who it was, but it put
things into perspective for me at the time so I thought I'd share.)
It is. But this issue might open for man-in-the-middle attacks, which is
much harder for issued certificates.
Issued certificates usually also incorporate a check, that you control a
domain etc.
With engineered certificates you can practically avoid that whole process.
Kind regards,
Martin List-Petersen
Rodrick Brown wrote:
A team of security researchers and academics has broken a core piece
of Internet technology. They made their work public at the 25th Chaos
Communication Congress in Berlin today. The team was able to create a
rogue certificate authority and use it to issue valid SSL certificates
for any site they want. The user would have no indication that their
HTTPS connection was being monitored/modified.
25C3: Hackers Completely Break SSL Using 200 PS3s | Hackaday
Creating a rogue CA certificate
--
[ Rodrick R. Brown ]
http://www.rodrickbrown.com http://www.linkedin.com/in/rodrickbrown
ssl itself wasn't cracked they simply exploited the known vulnerable md5 hashing. Another hashing method needs to be used.
ssl itself wasn't cracked they simply exploited the known vulnerable
md5
hashing. Another hashing method needs to be used.
The encryption algorithm wasn't hacked. Correct. Another hashing method
may help. Yup.
My problem is with the chain-of-trust and a lack of reasonable or reasonably reliable (pick)
ways of revoking certificates.
Deepak
