how-to block ads
|
-
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to k1ll3rdr4g0n
Re: KARL, YOU ARE WRONG.
said by k1ll3rdr4g0n  :[ If MD6 is available, why not use THAT in certificates instead of MD5? Hell, why not just turn it all the way up to MD11??? | |
k1ll3rdr4g0n
join:2005-03-19
Homer Glen, IL
| reply to MxxCon
said by MxxCon :how can you post a story without even reading it?! THEY NEVER SAID THEY "have found a method of hacking any website".what they did say was that they "found a way to forge certain digital certificates"THAT'S A HUGE DIFFERENCE. your own link to our forum says » SSL security flaw with MD5 certificates announces today that's nothing even close to "hacking any website" KARL, STOP SPREADING FUD! I have to agree with you. Though they claim its just a "proof-of-concept" aka POC or Piece o' cr4p. I love how people always go "omgz its a new exploitz, lets all freak out" - and never actually demonstrates that it works. I mean what the hell people, so if I sat there and said that I found a "POC" exploit for Linux servers would you all jump out of your chair and go "I'm switching to Windows Server". I hope not (assuming I could explain exactly how it worked).
And actually this is partly the browsers fault, and the HTTPS scheme as a whole. I mean I just find the whole idea of *paying* for security a little unsecure. CA's don't maintain SSL, so why should we shell out $$$ to them? But, whatever, back to the point at hand. So lets point out the browser: its stupid. It wont tell you *what* CA verified (unless you manually look) the cert, just that its good; wait...so a cert from ABC company is as valid of a cert from verisign? Uhhh...I see something wrong with that myself but regardless.
I actually did see that a long time ago that 2 (chinese?) people claimed to have "broken" the MD5 algorithm (they claimed they were able to determine collisions or something like that...). They never posted any evidence, just that they broke it. Here it is, what a couple years later, I haven't seen a story on how MD5 is really broken, have you? What makes that even more of a laugh is that MD5 isn't an encryption, its just a hash algorithm. What makes THIS story a laugh too is that MD6 was talked about a long time and seems to be available for your greedy downloading hands.
My question I propose to you:
If MD6 is available, why not use THAT in certificates instead of MD5? After all, don't we trust in CA's to keep our sites and data secure and encrypted? I know I sure don't for my own sites/services (you might be like "wtf?", but I am coming with a solution to that).
In my conclusion, its merely just a response to increase of technology. Its like saying you can find the prime numbers to a 20 digit (I don't know, some obscene number) composite number in a matter of seconds on a quad core, with 64bit os with 4GBs of RAM. Yeah, its defiantly going to make that large number look like nothing on modern technology, but when the number was put out there - the technology at the time couldn't handle it. So - there's nothing to see here, move along. | |
|
