-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Mielke wrote:
Hi all,
I'm sending this to both the users list and the off-topic one as it has a rather big impact:
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p...
Happy New Year everyone!
Martin
Hmmm... reading the article a little closer. This was only possible from one certificate supplier with two key bits of knowledge about that suppliers certificates, a fixed certificate signing response time, a sequential serial number and took two days to perform with $20K worth of computing power... Not quite in the same league as the WEP hack .... Truth of the matter is no security mechanism will ever be 100% and if someone is determined enough it can be broken. The real issue is make economically non viable to do it (and possibly put in tripwires so you know someone is trying to do it).... In this case I would focus on the question of the use of sequential serial numbers and a static response time... a little randomness in these could make the problem more difficult (but not impossible)... News folks, the sky has not fallen yet.... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkld6VsACgkQasN0sSnLmgLgUgCfSVzOs7Dycl8Wdt1jOVZKkh0Y ELAAoMNDc/oMks/ivFI0aMNCmIqwj+EW =5M0y -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org