Hi,
On Dec 31, 2008, at 4:32 PM, Ralph J.Mayer wrote:
for real, the browser manufacturers will just blacklist it. It's
really quite
straightforward.
That's NOT the problem.
What they showed is:
- predictable serialnumbers suck
- MD5 is weak enough to find a useable collision within a few days
on a
a cluster of 200 PS3s (if you dont own that much PS3s, go to Amazon
EC2)
Actually, I think what we could take from all this is a suggestion to
all XMPP client developers to not accept as valid a MD5 signature on
certificates.
After reading some articles online, my feeling is that the whole thing
puts the shame on the browser vendors, because they are the ones still
accepting MD5 as a secure signature method for certificates. I would
hope that the next version of my browser would warn me the same way it
warns about self-signed certificate if it only includes a MD5 signature.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [email protected]
Use XMPP!
