[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security team successfully cracks SSL using 200 PS3's and MD5

Subject: Security team successfully cracks SSL using 200 PS3's and MD5
From: jabley at hopcount.ca (Joe Abley)
Date: Fri, 2 Jan 2009 12:39:30 -0500
In-reply-to: <[email protected]>
References: <[email protected]>

On 2 Jan 2009, at 12:33, Joe Greco wrote:

> We cannot continue to justify security failure on the basis that a
> significant percentage of the clients don't support it, or are  
> broken in
> their support.  That's an argument for fixing the clients.

At a more basic level, though, isn't failure guaranteed for these kind  
of clients (web browsers) so long as users are conditioned to click OK/ 
Continue for every SSL certificate failure that is reported to them?

If I was attempting a large-scale man-in-the-middle attack, perhaps  
I'd be happier to do no work and intercept 5% of sessions (those who  
click OK on a certificate that is clearly bogus) than I would to do an  
enormous amount of work and intercept 100% (those who would see no  
warnings). And surely 5% is a massive under-estimate.

Joe

Follow-Ups:
- Security team successfully cracks SSL using 200 PS3's and MD5
  - From: jgreco at ns.sol.net (Joe Greco)
- Security team successfully cracks SSL using 200 PS3's and MD5
  - From: stasinia at msoe.edu (Stasiniewicz, Adam)

References:
- Security team successfully cracks SSL using 200 PS3's and MD5
  - From: jgreco at ns.sol.net (Joe Greco)

Prev by Date: Security team successfully cracks SSL using 200 PS3's and MD5
Next by Date: Security team successfully cracks SSL using 200 PS3's and MD5
Previous by thread: Security team successfully cracks SSL using 200 PS3's and MD5
Next by thread: Security team successfully cracks SSL using 200 PS3's and MD5
Index(es):
- Date
- Thread