Another threat to the internet

Some people presented a rogue Certificate Authority at this year's CCC. What is surprising is not so much that they could create such a rogue CA, but the fact that MD5, despite having been broken for several years, is still in use by some important CAs to sign SSL certificates. Amazing.

2008-12-30 20:42:40+0900

p.d.o

Both comments and pings are currently closed.

One Response to “Another threat to the internet”

  1. Kapil Hari Paranjape Says:
    2008-12-31 04:58:41+0900

    While I agree that people should provide hash sums other than md5 nowadays just as they should use RSA with at least 1024 bit keys, failing to do this is nowhere near as serious as signing certificates without proper verification.

    The latter is a human error or organisational error. It is errors of this kind that have lead to far more security breaches than those due to weak crypto in the recent past.