A better approach to security

[Jan Pieter Cornet <johnpc AT xs4all.nl>]

On Sat, Jan 03, 2009 at 10:28:09PM +0100, Christophe Meessen wrote:
>> http://www.win.tue.nl/hashclash/rogue-ca/
>>   
> I think I understood it. What I don't understand is why lists of trusted 
> rootCA contained in browsers and some operating systems aren't yet purged 
> of md5 certificates and why certificates using md5 as signature hash aren't 
> flagged as invalid ? That's how it can be solved. The missing trusted 
> rootCA will block derived certificates.
> 
> After a second careful reading I can't find the list of md5 signing/signed 
> rootCA. Are we supposed to do it out ourselves ?

Read section 5 again.

>> SSL _is_ broken. Or rather, one specific implementation of it. As a
>>   
> I'm sorry, but SSL is a protocol and the protocol is not broken. The scope 
> goes well beyond SSL and concerns TLS as well as mail and software 
> signature.

Sorry to sound like a cliché, but it's like a chain... only as strong as
the weakest link.

> The problem is in fact "only" the capacity to generate a forged certificate 
> when md5 is used as hash in the signature. Did I understood it correctly ?

Roughly. Only if both the original and the rogue certificate are
specifically crafted. So in effect, SSL certs that currently use MD5 for
signing aren't in danger of getting broken or anything.

It's only that MD5-signed certs _might_ be rogue because they were
specifically crafted. It's rather hard for end-users to detect
these certificates (if not impossible), so in section 7 the authors
recommend to flag all MD5-signed certs as "suspicious".

> The right action is to remove all rootCA using md5 or less secure

I'd suggest to see section 7 for "the right action"s ;)

> I checked comodo CA in thunderbird and they are all using sha-1 for signing 
> algorithm. Why suggesting to remove comodo CA ?

Unrelated events, but equally significant in breaking SSL, now in a
completely different link of the chain. In fact, I think this is a lot
more damning than the MD5 collision, because it's pretty much certain
that criminals are in the posession of SSL certificates for sites that
they shouldn't have SSL certs for.

See:
http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/print.html

(In fact - I believe that any browser manufacturer that leaves the
Comodo CA enabled, but doesn't include the CACert CA, is giving a clear
statement that it's only about the money, and has nothing to do about
security).

-- 
Jan-Pieter Cornet <johnpc AT xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!