Tuesday

#25C3 Talk : MD5 considered harmful today: Creating a rogue CA certificate” (updated)



Our conspiracy theories of yesterday weren't far of the mark. This was on the CCC event page this morning:

The title of the talk “Making the theoretical possible” has been changed to “MD5 considered harmful today: Creating a rogue CA certificate”. The speakers will be Alexander Sotirov, Marc Stevens and Jacob Appelbaum
We knew that the use of MD5 was't really advisable anymore and that we would run into issues in the future. But we hit a wall sooner then we thought. This has serious consequences!!

Talk will be streamed at 15:15 CET
http://events.ccc.de/congress/2008/wiki/Streaming

Follow live tweets @security4all,

UPDATE: Alex gives a small synopsis on the phreedom.org website.
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. (Read more-)
UPDATE 2: Details were just released on the http://www.win.tue.nl website.

Previous posts:
(Photo under creative commons StarbuckGuy's photostream)

No comments: