You may have noticed when you go to certain websites, you'll get a signed certificate that is supposed to prove that you are at that actual website. I say supposed to because there was demonstration at the Chaos Computer Congress on how to spoof (fake) a MD5 certificate of authentication. There are a couple kinds of certificates and it appears that only the MD5 CA has been spoofed. This is an older type of certificate but is still used by many websites. There has been a warning about this concept for sometime, however, it was just demonstrated . So it's no longer a concept because there is proof it can be, and has been done.
You can read all about it here http://www.win.tue.nl/hashclash/rogue-ca/
Microsoft has also issued a security bulletin about it here http://www.microsoft.com/technet/security/advisory/961509.mspx
The guys who figured out how to do this will not release all the details of how it was done for a couple of months, to give time for a fix to be developed.
I'll post more details as they become available.
December 30, 2008
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment