[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Whoos with GnuTLS and md5-signed certificates



Daniel Kahn Gillmor wrote:
Are there any concrete proposals for how to deal with this
systematically within debian without leaving GnuTLS users in lenny
perpetually gullible to MD5-based forgeries, or improperly-trusted V1
certificates?

Unless you want to "fix" openssl, Firefox, etc, Lenny users will still be vulnerable even if GnuTLS is fixed.

The sooner MD5 certificates (not counting explicitly trusted self signed certificates here) are disabled everywhere the better, IMHO.

Yes, this may break stuff. Unfortunately.

--
Brian May <brian@microcomaustralia.com.au>


Reply to: