[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "Certification Authorities are recommended to stop using MD5 altogether"

On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote:

> http://www.win.tue.nl/hashclash/rogue-ca/
> Could some skilled person comment on the article?
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason
> to worry?

Nah. What we really need to do, is patch the crypto libs use the 
certificates in ca-certificates to disable the use of broken algorithms 
such as MD5.

But at the end of the day, unless you actually do OCSP validation of 
every single connection you make, you are already running the risk of 
being MitM'd.

And even then, you are basically relying on the CA companies to perform 
the task of validating the identities of certificate-holders, when they 
make a lot more money by simply rubber-stamping everything they see. :)

> Cheers,

Happy new year, and sleep well. ;)


Reply to: