OpenSSL, MD5, CA security flaws, oh my

der.hans PLUGd at LuftHans.com
Wed Jan 7 16:19:17 MST 2009


moin moin,

Lisa has probably posted the second issue, but I'm a bit behind on the
list. The first one appears to be from today and I don't see anything from
her today.

http://openssl.org/news/secadv_20090107.txt

OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
safe, except...

http://www.win.tue.nl/hashclash/rogue-ca/

Hmm, it's possible to impersonate a CA and create RSA certs that'll be
accepted :(.

I think the 'Outline of the attack' section indicates that the original CA
certificate is needed, so CAs moving away from MD5 can avoid the problem.

ciao,

der.hans
-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  Strangers are friends just waiting to happen!


More information about the PLUG-discuss mailing list