lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 30 Dec 2008 16:42:47 -0500
From: Valdis.Kletnieks@...edu
To: Elazar Broad <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Creating a rogue CA certificate

On Tue, 30 Dec 2008 16:13:07 EST, Elazar Broad said:
> And they should have listened then, it was only a matter of time
> before someone fleshed out a practical attack, and that time is
> now. Then again, I am sure there some ATM's out there still using
> DES. How many time's do we need to prove Moore's law...

Playing devil's advocate for a moment...

And perhaps they *were* listening, but realized that security is about
tradeoffs, and they balanced the cost of doing the upgrade back then
against the chances that a team as technically and budget-wise prepared
as this one, *and with nefarious intent*, would do something significantly
drastic enough to dent their revenue stream.

Read section 5.2 of the hashclash/rogue-ca paper.  The victim CA is churning
out an average of 1,000 certs in 3 days, let's say at $12 per. That's some
$600K per year for just the weekends, not counting the Mon-Thurs span which
is probably even higher (and why they targeted a weekend).  So $2M per year
or more.

Who wants to place a bet that said CA will be selling *the same number*
of certs every week, meaning they had *no* economic loss due to this hack,
because their customers won't actually *see* the news article and give them
a bad feeling about their CA?  And with no actual loss, why spend the money
to implement the change?

Hint: It *isn't* just a matter of changing one line in a script to say
'sha1' instead of 'md5' - you *also* need to go back and look at all the
certs you've issued already and figure out if they've been tweaked...


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ