The cat is out of the bag …

The title of the talk “Making the theoretical possible” has been changed to “MD5 considered harmful today: Creating a rogue CA certificate”. The speakers will be Alexander Sotirov, Marc Stevens and Jacob Appelbaum.

Dag Arne Osvik, David Molnar, Arjen Lenstra and Benne de Weger will also be in the audience.


From left to right: Benne de Weger, Arjen Lenstra, Marc Stevens, Jacob Appelbaum, David Molnar, Alexander Sotirov. Photo: Alexander Klink (CC-BY)

Tags: , , , ,

3 Responses to “The cat is out of the bag …”

  1. CCC Events Weblog » Blog Archive » The cat is out of the bag ……

    MD5 will be proven obsolete later today. SSL and any other false sense of security that existed in the world is about to be a joke….

  2. akronymitis says:

    The “SSL Blacklist” plugin for Firefox will warn you about certificates that are affected by the MD5 vulnerability. (It original function is to report weak Debian OpenSSL certificates.) Ironically, it also generates a MD5-related warning with events.ccc.de. :)

  3. [...] Yesterday’s presentation at the Chaos Communication Congress by a handful of researchers brought to light that the use of MD5 for secure computing (digital certificates, SSL, etc) truly is gasping its last breath. A fine summary of the MD5 algorithm and its use by the Certificate Authorities is written up by Scott Merrill here.Unfortunately, Mr. Merrill makes the same lame excuse for the CA’s that most of the software world has made for decades regarding change: “MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.” Pretty complex? When something is broken, profitable security enterprises have the resources to change it (the researchers themselves state that the “affected CAs are switching to SHA-1″). That excuse simply is not valid. [...]