-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2009-01-02 at 10:15 -0000, G T Smith wrote:
Hmmm... reading the article a little closer. This was only possible from one certificate supplier with two key bits of knowledge about that suppliers certificates, a fixed certificate signing response time, a sequential serial number and took two days to perform with $20K worth of computing power... Not quite in the same league as the WEP hack ....
But the "bad guys" can have that kind of manpower and money, if there is money to be earned. Just look at the amount of phising attempts every day...
Truth of the matter is no security mechanism will ever be 100% and if someone is determined enough it can be broken. The real issue is make economically non viable to do it (and possibly put in tripwires so you know someone is trying to do it)....
Yes.
In this case I would focus on the question of the use of sequential serial numbers and a static response time... a little randomness in these could make the problem more difficult (but not impossible)...
That is very true. I wonder if they checked other authorities and how many they found vulnerable. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkld9FgACgkQtTMYHG2NR9X8rACdFhyfhS7G7t457qyR1QrEzw6m Cc8An0Da1e9/kL6Mhc40vhBlOvQElZem =TbD6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org