Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » SSL security flaw with MD5 certificates announces today
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Old AVG issues »
« Website viruses can't infect you if you use Firefox?  
AuthorAll Replies


TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast

2 edits		reply to amungus
Re: SSL security flaw with MD5 certificates announces today

said by amungus See Profile :

When looking at the details for "Certificate Signature Algorithm" for gmail, I see:

"PKCS #1 SHA-1 With RSA Encryption"

The "general" tab simply shows both SHA-1 and MD5 fingerprints.

Does this mean that it's still vulnerable, even if both hashes are present? Does that not matter since MD5 is there at all???

If these are still vulnerable, what a headache it will be to update all kinds of certificates.
According to the news item MD5 & SHA1 have the same vulnerability exposure.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk?
to forum · permalink · · 2008-12-30 12:11:11 · Reply to this


Sir Meowmix III
said by TKJunkMail See Profile :

According to the news item MD5 & SHA1 have the same vulnerability exposure.
I do not see this to be the case in my reading. I show that only those signed with MD5 are vulnerable, not those with SHA-1. Even Microsoft seems to indicate this as well, although they're certainly not authoritative source in security.

quote:
Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm.
to forum · permalink · 2008-12-30 13:24:46 · Reply to this

amungus
Premium
join:2004-11-26
America
clubs:

 That's how I read it too... which is why I still think the question has some merit.

Barring SHA-1 only hashes, what's the story if you see both??? Is it still (more) secure when both are present, or is it completely irrelevant if one is breakable?

As for the browser idea... that's not a bad thought, but I don't think it'd work as smoothly - it's also incumbent on the user to patch their browser. Would be a more "certain" solution if the server certs themselves were guaranteed to be not using MD5.

Once that's done, the browser wouldn't care. There simply wouldn't be any MD5 hash present to begin with, which would then eliminate the chance of having an insecure hash being present...
to forum · permalink · · 2008-12-30 13:29:25 · Reply to this
-
Forums » Up and Running » Security » SecurityOld AVG issues »
« Website viruses can't infect you if you use Firefox?  

Friday, 27-Nov 18:13:39 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [119] Time Warner Cable Fires Broadside At Broadcasters
· [111] New AT&T Ad Campaign Hits Back At Verizon
· [95] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [70] TiVo Sees Record Customer Losses
· [68] In-Flight Internet Headed For Bumpy Landing?
· [60] Thanksgiving Open Thread
· [57] Verizon CEO: Hulu Will Be Dead Soon
· [38] EFF Wages War On Fine Print
· [38] ICANN Slams DNS Redirection
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· Bell Response to PIPEDA Request [TekSavvy]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· [Vista] Why is HD So Full? [Microsoft Help]
· Leveling to 85 [World of Warcraft]
· HOW-TO: QoS and Tomato (fixes "choppy voice") [MagicJack]
· Whats the big deal about being "Old School"....? [World of Warcraft]
· Top Standalone Antivirus Software for 2010 [Security]
· [Newsgroups] Newzleech down? [Filesharing Software]
· What is the spell hit cap for a lvl 80 full arcane spec mage [World of Warcraft]