http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-site-certificates
By Ed Felten - Posted on December 30th, 2008 at 11:18 am Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov, Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David Molnar) announced that they have found a way to forge website certificates that will be accepted as valid by most browsers. This means that they can successfully impersonate any website, even for secure connections. --- Through the use of MD5 collisions. The slides from the presentation are available here: http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html The presentation entitled "MD5 considered harmful today, Creating a rogue CA Certificate" The collisions were found with a cluster of 200 PlayStation 3's. (slide number 3, see slide number 25 for a picture of the cluster, a collision taking one to two days) They apparently did a live demo using forged certificates in a man in the middle attack using a wireless network during the demonstration with access by the audience. (slide number 5) CAs still using MD5 in 2008: (slide number 19) ? RapidSSL ? FreeSSL ? TrustCenter ? RSA Data Security ? Thawte ? verisign.co.jp --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com