OpenSSL, MD5, CA security flaws, oh my
der.hans
PLUGd at LuftHans.com
Wed Jan 7 16:19:17 MST 2009
moin moin,
Lisa has probably posted the second issue, but I'm a bit behind on the
list. The first one appears to be from today and I don't see anything from
her today.
http://openssl.org/news/secadv_20090107.txt
OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
safe, except...
http://www.win.tue.nl/hashclash/rogue-ca/
Hmm, it's possible to impersonate a CA and create RSA certs that'll be
accepted :(.
I think the 'Outline of the attack' section indicates that the original CA
certificate is needed, so CAs moving away from MD5 can avoid the problem.
ciao,
der.hans
--
# http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
# Strangers are friends just waiting to happen!
More information about the PLUG-discuss
mailing list