http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
http://blogs.zdnet.com/security/?p=3451
Apart from the many worms and exploits listed above, as early as last month it's SSL page was using MD5 hashing with RSA encryption, it has been corrected now. If you remember, back in December 2008, a group of researchers identified a problem with MD5 collision, which affects SSL sites signed with MD5 hash. The exact problem is described in the Microsoft security blog,
"An MD5 hash collision allows a malicious user to potentially generate a rogue certificate derived from a valid one. This user can then impersonate a valid site or person since both certificates look legitimate because the certificate hashes are the same. An attacker will have to lure a user to initiate an SSL/TLS connection, then the certificate will be validated by the client and it will seem valid. Thus, the user will think that it is establishing a safe connection with site or person when in fact it is connecting with the attacker."
Another method to verify this is using the "SSL Blacklist" Firefox add-on
No comments:
Post a Comment