Mailinglist Archive: opensuse (2572 mails)

< Previous Next >
Re: [opensuse] 25C3: Hackers completely break SSL using 200 PS3s
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Fri, 2 Jan 2009 12:02:47 +0100 (CET)
  • Message-id: <alpine.LSU.2.00.0901021200030.6052@xxxxxxxxxxxxxxxx>
Hash: SHA1

On Friday, 2009-01-02 at 10:15 -0000, G T Smith wrote:

Hmmm... reading the article a little closer. This was only possible from
one certificate supplier with two key bits of knowledge about that
suppliers certificates, a fixed certificate signing response time, a
sequential serial number and took two days to perform with $20K worth of
computing power... Not quite in the same league as the WEP hack ....

But the "bad guys" can have that kind of manpower and money, if there is money to be earned. Just look at the amount of phising attempts every day...

Truth of the matter is no security mechanism will ever be 100% and if
someone is determined enough it can be broken. The real issue is make
economically non viable to do it (and possibly put in tripwires so you
know someone is trying to do it)....


In this case I would focus on the question of the use of sequential
serial numbers and a static response time... a little randomness in
these could make the problem more difficult (but not impossible)...

That is very true.
I wonder if they checked other authorities and how many they found vulnerable.

- -- Cheers,
Carlos E. R.

Version: GnuPG v2.0.9 (GNU/Linux)

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups