MD5 Crack: Does It Matter?

Wednesday, December 31, 2008 

Some very clever people have figured out how to create an exploitable real world MD5 hash collision.  It is interesting work and suggests that the value of an MD5 signature to verify a certificate is lower than intended.  In the end the work shows it is possible to spoof a web site in such a way that a browser’s normal security features for detecting false websites are defeated.  But does it really matter?

That presumption, that a CA would be meaningful in preventing phishing or redirection or whatever by uniquely identifying a site as belonging to the entity in question because the user trusts the domain name, is prima facia absurd.  Would you even think about going to www.bofa.com instead of www.bankofamerica.com or whatever?  I wouldn’t; most banks would buy every variation of their name including common misspellings (www.bnkofamerica.com?), so that a misspelling seems to work wouldn’t surprise me at all.  That a misspelling gets a cert thus means nothing either.

Uh Oh, something's wrong.  So what?
Further, what do you do when a cert fails, for example if the CA can’t be identified or the cert is expired or whatever?  Do you back out of the transaction and call the bank to find out what’s going on?  Do you think you could ever reach anyone at the bank who knew?  Send them an email? (which would probably go to the fake bank anyway).  I just accept the cert and move on.

Since CAs and certs are already a complete failure as a proof of identity mechanism, MD5 signature spoofing is also irrelevant for the vast majority of users.

HTTPS is useful for encrypting traffic.  It shouldn’t be used for anything else.  The whole signed CA/Cert thing is an impediment to this useful function for a useless feature that is merely cryptographically entertaining.  Google’s and various browser mechanisms to identify malicious sites are far more effective, although a few users are likely to get scammed before the fraud is identified.

Posted at 16:48:46 UTC

Category: technology

The holidays are all about service

Tuesday, December 30, 2008 

Not.

/Media Card/BlackBerry/pictures/IMG00184-20081230-1755.jpg
Posted at 19:00:12 UTC

Category: Related Links

Flag disposal unit

Saturday, December 27, 2008 

Dispose of your flag legally and conveniently.

/Media Card/BlackBerry/pictures/IMG00183-20081227-1425.jpg
Posted at 16:00:15 UTC

Category: Related Links

One:One Coffee Maker

Saturday, December 27, 2008 

The holiday inn select in Deleware had a new coffee maker, a pseudo cartridge espresso system from 1to1coffee.com. It was less bad than in-room coffee usually is.  Perhaps up to office bad coffee or even cheap diner grade coffee.  Usually in room coffee is more or less warm cardboard water with a dash of mold tasting.

/Media Card/BlackBerry/pictures/IMG00182-20081227-1029.jpg
Posted at 11:52:01 UTC

Category: Related Links

Mike boned the chicken

Sunday, December 21, 2008 

/Media Card/BlackBerry/pictures/IMG00162-20081221-1953.jpg
Posted at 21:00:16 UTC

Category: Related Links

I Miss BBC NewzQuiz with Sandi Toksvig

Saturday, December 20, 2008 

It is one of my favorite shows. It is replaced by The Now Show, which is better than The Man Show but not nearly as funny as good as NewsQuiz. How will I keep up with snarky British politics now?

Posted at 03:00:10 UTC

Category: Related Links

Plow Phalanx on 401

Friday, December 19, 2008 

With miles of traffic behind it.

/Media Card/BlackBerry/pictures/IMG00157-20081219-1226.jpg
Posted at 14:00:10 UTC

Category: Related Links

Off to the airport…

Friday, December 19, 2008 

… In snowmaggeddon.

/Media Card/BlackBerry/pictures/IMG00155-20081219-1131.jpg
Posted at 13:00:15 UTC

Category: Related Links

Wheee! Snow!

Friday, December 19, 2008 

/Media Card/BlackBerry/pictures/IMG00153-20081219-0745.jpg
Posted at 09:00:20 UTC

Category: Related Links

Snowmaggeddon!

Friday, December 19, 2008 

Why do I spend so much time in Guelph? Because we just don’t get weather like this in Oakland…

/Media Card/BlackBerry/pictures/IMG00152-20081219-0738.jpg
Posted at 09:00:12 UTC

Category: Related Links