A better approach to security

[Christophe Meessen <christophe AT meessen.net>]

Thanks for answering.

Jan Pieter Cornet a écrit :
> I believe you haven't read the detailed explanation on this page:
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> It answers all the questions you still might have, and then some.
>   
I think I understood it. What I don't understand is why lists of trusted 
rootCA contained in browsers and some operating systems aren't yet 
purged of md5 certificates and why certificates using md5 as signature 
hash aren't flagged as invalid ? That's how it can be solved. The 
missing trusted rootCA will block derived certificates.

After a second careful reading I can't find the list of md5 
signing/signed rootCA. Are we supposed to do it out ourselves ?

> > If it is the former, it would be good to know which CA is using MD5 
> > signatures because this is indeed a big mistake.
> > If it is the later, it would also be good to know what PKI has this 
> > weakness. One needs to know if we are exposed and in what way.
> >
> > It is regrettable the author uses false claims as the SSL is broken because 
> > this is confusing the reader.
> >     
>
> SSL _is_ broken. Or rather, one specific implementation of it. As a
> result, the attackers are now in posession of a CA that is trusted by
> every browser, with which they can sign any site they like.
>   
I'm sorry, but SSL is a protocol and the protocol is not broken. The 
scope goes well beyond SSL and concerns TLS as well as mail and software 
signature.
The problem is in fact "only" the capacity to generate a forged 
certificate when md5 is used as hash in the signature. Did I understood 
it correctly ?

> While the certificate they demonstrate is only valid in august 2004, it
> is theoretically possible that there are multiple CAs that have that
> capability, in the hands of criminals.
>
> How much more breakage do you need before _you_ believe SSL is broken?
>   
It is the MD5 hash use for signature that is broken and this is known 
for more than a year now. Not SSL.
> The good news is: it's unlikely that somebody else already did this, and
> it's very unlikely that these whitehats indeed have another rogue CA,
> and if we all stop using MD5 right now, we can continue to use SSL using
> SHA1 like nothing ever happened (oh, maybe erase the Comodo CA from your
> machine too if you want to be really safe ;)
>   
The right action is to remove all rootCA using md5 or less secure 
signatures and change the certificate signature checking code to 
consider signatures using md5 hash as invalid. If possible this should 
be extended to all signature checking (i.e mail and software).

I checked comodo CA in thunderbird and they are all using sha-1 for 
signing algorithm. Why suggesting to remove comodo CA ?

But IPS Seguridad CA (provided with thunderbird and firefox on windows) 
for instance is using md5 hash and since it uses old version of x509 
certificats as no limit on the number of intermediate CA.

I also found an RSA Data Security, Inc. : verisign/RSA Secure Server CA  
(root CA) using MD2 hash (!!!)  algorithm and no limit in intermediate 
CA since it also uses a version 1. What a mess! (don't confuse with RSA 
Security, Inc. who use SHA-1). Found it in firefox and thunderbird !

CACert root CA, class 3 and signing authority are also using MD5 and 
have no limit in intermediate CA. So these are exposed too.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature