[H-GEN] MD5 weakness can be used to create a trusted rogue CA certificate
Russell Stuart
russell-humbug at stuart.id.au
Tue Dec 30 20:37:15 EST 2008
This was just posted to Sage-AU by Warren Guy - edited because
we are not supposed to re-post from Sage-AU.
"We have identified a vulnerability in the Internet Public Key
Infrastructure (PKI) used to issue digital certificates for secure websites.
...
As a result of this successfull attack, we are currently in possession of a
rogue Certification Authority certificate. This certificate will be accepted
as valid and trusted by all common browsers, because it appears to be signed
by one of the root CAs that browsers trust by default. In turn, any website
certificate signed by our rogue CA will be trusted as well."
intro http://www.phreedom.org/research/rogue-ca/
detail http://www.win.tue.nl/hashclash/rogue-ca/
More information about the General
mailing list