just to pick your brain a moment ...linus52January 7 2009, 20:31:19 UTC
So out of curiosity;
What I gathered from their article is that they really needed a site that would send them signed certificates with which they could figure out the serial sequence too, and generate a certificate that could collide with an upcoming certificate.
What this doesn't mean is that those of us who have our own CA used to sign our own certs for our own use are going to have someone crack that and generate certificates that look like we signed them. Right?
I have some faculty that are convinced we are about to implode.
Re: just to pick your brain a moment ...shanzerJanuary 8 2009, 02:13:38 UTC
I have not read the details, but figuring out the serial sequence should not be a factor. If the attacker can get a legit certificate from your CA, that certificate request can be carefully formatted so it can have a MD-5 collision with a different certificate that the attacker generated. So the signature can be used to generate a rogue certificate that can then be used to issue other certificates.
Some ways to avoid this:
1) do no use MD-5, use SHA-1 or better yet SHA-256/512 2) Put a basic constraints extension in your CA cert that limits the depth of the CA chain. So they might have a cert signed by you, but they cannot use that to sign other certs.
Re: just to pick your brain a moment ...linus52January 8 2009, 16:34:51 UTC
I don't issue certificates to anyone but myself, which is why I figured that this won't actually affect me. Certainly, I will never used MD5 again, but do I need to go back and re-do everything that has been done before? From what I can tell, no...
but that's why I am asking friends with CLUEs: I may be missing something obvious here.
Re: just to pick your brain a moment ...shanzerJanuary 8 2009, 16:39:09 UTC
I would not bother re-doing old stuff... This is not really a big deal, but it does depend on what you are using the certificates for.
I like Bruce Schneier's quote on this: If you're like me and every other user on the planet, you don't give a shit when an SSL certificate doesn't validate. Unfortunately, commons-httpclient was written by some pedantic fucknozzles who have never tried to fetch real-world webpages.
Comments 6
"Pfffft."
Reply
What I gathered from their article is that they really needed a site that would send them signed certificates with which they could figure out the serial sequence too, and generate a certificate that could collide with an upcoming certificate.
What this doesn't mean is that those of us who have our own CA used to sign our own certs for our own use are going to have someone crack that and generate certificates that look like we signed them. Right?
I have some faculty that are convinced we are about to implode.
Reply
Some ways to avoid this:
1) do no use MD-5, use SHA-1 or better yet SHA-256/512
2) Put a basic constraints extension in your CA cert that limits the depth of the CA chain. So they might have a cert signed by you, but they cannot use that to sign other certs.
OK, that's all I can think of for now ...
Reply
but that's why I am asking friends with CLUEs: I may be missing something obvious here.
Reply
I like Bruce Schneier's quote on this:
If you're like me and every other user on the planet, you don't give a shit when an SSL certificate doesn't validate. Unfortunately, commons-httpclient was written by some pedantic fucknozzles who have never tried to fetch real-world webpages.
Reply
Leave a comment