Thursday, January 1, 2009

Rogue CA Certificate Using PlayStations and MD5 Collisions

Alex Sotirov and Jacob Appelbaum presented "MD5 Considered Harmful Today: Creating a rogue CA Certificate" at the 25th Chaos Communication Congress (or 25C3). Their process, which relied on a cluster of 200 PS3 consoles creates a valid rogue CA certificate that will be accepted by major browsers. The only real fix for this is for browsers to move to SHA-1, which will avoid the known collision errors in MD5. In the short term, this is unlikely to be exploited, but the proof of concept does point to a need to move to a more secure verification method.

ZDNet has more, including details from Sotirov and Appelbaum, as well as a link to their demo site which uses a backdated CA from 2004 to demonstrate the issue.

No comments: