A better approach to security

[Alain Knaff <alain AT knaff.lu>]

Christophe Meessen wrote:
> Christoph A. a écrit :
>> Jan Pieter Cornet wrote:
>>  
>>> It's rather hard for end-users to detect
>>> these certificates (if not impossible)
>>>     
>>
>> SSL Blacklist now detects and warns about certificate chains that use
>> the MD5 algorithm for RSA signatures.
>>
>> http://www.codefromthe70s.org/sslblacklist.asp
> 
> If I understood correctly, the problem is the generation of forged
> certificates with the same MD5 as a genuine certificate by exploiting
> MD5 collisions. Setting the CA flag in this forged certificate allows to
> sign other certificates on behalf of the rootCA.
> 
> So every certificat signed by its CA with the MD5 hash (or MD2 !!)  is
> suspect.

Which unfortunately includes the Level3 root of CaCert. This is not a
problem if you import it as a root into your browser, but it is if you
set ip up as a chained certificate in your web server (hanging off the
level 1 cert, as recommended on the create certificate page).

> 
> It should be enough to get rid of the rootCA using MD5, MD2 or worse to
> secure oneself because the chain of certification will be cut at the
> root.

The top-level roots themselves may be signed by MD5 (and often are), as
those are "trusted" by being directly included in the browser's CA list
rather than being signed by another authority. The only troublesome MD5
certs are those in chains (middle of chain and leaf, but not start of
chain).

> Any certificate deriving from those will be flagged as
> unverifiable. Looking at the rootCA certificat details, there is a field
> telling the hash algorithm used for signing. So it should be easy to
> recongnize the one using unsecure hash.
> 
> Is that assumption valid ?

As far as I understand, this is what SSL blacklist does

Alain