BinInt

So, the Internet gets broken one last time in 2008.

Complete details are up and it is a really good write up. Take the time to read the whole thing. The short detail of it is MD5 in SSL is bad and should not be used. Using the attack detailed in the write up, the group was able to create a rogue CA certificate allowing them to "issue SSL certificates to any website we like, including rogue websites claiming to be legitimate ones". This is bad, bad news. Users have been (attempted to be) trained to look for the "lock" symbol to see if sites are legitimate or not. This invalidates those sorts of checks for users, destroying any sort of trust on the Internet.

There are a number of CAs which could be attacked in such a manner.

Criticism has been thrown already saying that a demo of this attack was not needed, that all it did was help the bad guys. I disagree, as this sort of attack has been a theory for quite a while. But as it was never demonstrated, no one took it serious. Now it should be taken serious. You have to remember, vendors have no desire to release secure products. They have a desire to make money. Secure products are only desired in so far as it is a selling point to have them and it turns customers away when you don't have them.

Congrats to the group for putting this together. And here is hoping this problem is taken care of soon.

Oh, and I do find it interesting a cluster of PS3s were utilized to assist with the attack.