Wednesday, December 31, 2008

Creating a Fake CA Certificate

I have to say, beautiful work...

MD5 considered harmful today
The authors describe how they were able to create a CA certificate that would be trusted by a browser. it involves smartly crafted MD5 collision attacks. Some of the work is novel, as in how they came up with the collision. Other part is out of 'sheer luck' in a sense. All it took was a CA that was dumb enough to use MD5 AND sequential serial numbers, both of which should be easily removed from tomorrow onwards. Still, nice and solid work.

Its been some time that I've enjoyed reading a scientific article...

Edited to add:
The problem is 'fixed', at least for Verisign.

No comments:

Post a Comment