[Owasp-delhi] SSL Broken..

Gunwant Singh gunwant.s at gmail.com
Thu Jan 8 14:23:00 EST 2009


Hi,

Thanks for sharing the information. Just wanted to add some more to this.

As you said:
"Since, MD5 is also used in signing certificates the browsers will have no
way of telling the difference between a genuine and a rogue website unless
other hashing algorithms like SHA-1 are also used."

Fyi, even SHA-1 is susceptible to collision attacks. Practically even if MD5
or SHA-1 are broken, this vulnerability still can't be readily used to
exploit the certificate genuinity uptil 'Now'. Having said that I did not
mean that it can't be exploited at all thereby further exposing insecurity
on the internet. What I am saying is until some more research is done on how
to exploit this in relevance to the certificates, we can unwind and count on
atleast the certificates for now.

Some guys have come up with a PoC for the same, however not at a very
reasonable level.
May be you want to have a look at these:

http://www.cryptography.com/cnews/hash.html<https://houmail.halliburton.com/OWA/redir.aspx?C=52ed613179914f85a1b0ae5a68761f71&URL=http%3a%2f%2fwww.cryptography.com%2fcnews%2fhash.html>
http://www.securityfocus.com/columnists/488

IMHO I am sure this will be exploited with a solid rationale in the near
future.

Thanks,
-Gunwant Singh

On Fri, Jan 2, 2009 at 1:46 PM, Pranav Joshi <pranav.joshi at kriss.in> wrote:

> Hello Everyone.
>
> It's been quite a while since security issues with MD5 algorithm started
> cropping up regarding reproducible hash collisions (a.k.a Birthday
> Attack), this one ups the ante by driving the final nail in it's coffin.
>
> Since, MD5 is also used in signing certificates the browsers will have no
> way of telling the difference between a genuine and a rogue website unless
> other hashing algorithms like SHA-1 are also used.
>
> http://blogs.computerworld.com/md5_ca_hack_and_the_ps3
>
> Warm Regards,
> Pranav Joshi
> Consultant - Information Security [CISA/GHTQ/GWAS/Security+]
> Email: pranav.joshi at kriss.in
> Phone: +91-9958967766
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>



-- 
Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090109/15832a4e/attachment.html 


More information about the Owasp-delhi mailing list