[SSL Observatory] Using observatory data to check CAcert

[Hanno Böck]

Am Sat, 30 Jul 2011 16:12:16 +0200
schrieb Ralph Holz <holz at net.in.tum.de>:

> > I have not checked the CAcert database for the Debian SSL
> > vulnerability, as that would've been non-trivial. There were scripts
> > shipped with the SSL Observatory data, but I found them not easy to
> > use, so I skipped that part. 
> 
> I would expect EFF to have done that as they did report on the number
> of PRNG-flawed certificates in either their Defcon or 27C3 talk.

I trust that cacert has revoked all debian ssl-vulnerable certificates,
but feel free to check yourself.

> Anyway, people often take SHA1 to be broken. That, however, depends on
> your point of view. You might say collisions at feasible computational
> time mean the algorithm is broken. However, the state-of-the-art for
> actual pre-image attacks is a much much higher boundary, and that's
> the attack that is the real problem.

That is NOT true. Collission attacks ARE a problem for X.509. There has
been a practical attack on X.509 with MD5, which is also still
preimage-resistant:
http://www.win.tue.nl/hashclash/rogue-ca/

The attack was only possible because the SSL authority made other
mistakes (especially predictable serials). So one can argue "if you
choose random serials and don't make mistakes then preimage-resistance
is " - but that's no argument to me, as we've already seen that such
mistakes happen in the real world.

There's really no reason not to use SHA-2. There are no software
compatibility issues in any browser that's reasonably used today. Even
IE6 is capable of doing it.

-- 
Hanno Böck		mail/jabber: hanno at hboeck.de
GPG: BBB51E42		http://www.hboeck.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110730/bdeafda2/attachment.sig>