[SSL Observatory] Interesting fun with Verisign and X.509 by Kaminsky, Patterson, Sassaman
Chris Palmer
chris at eff.org
Wed May 4 10:45:51 PDT 2011
https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf
"""In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509: the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests. We also draw particular attention to two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parse PKCS#10, and the potential for SQL injection from text contained within its requests."""
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code
More information about the Observatory
mailing list