~ Science fiction does not remain fiction for long. And certainly not on the Internet. ~
If you have ever noticed small pad-lock icon at corner of browser , ensures that connection is safe ... and its more important when we are dealing with financial transactions ... right ?? ... till present time we used to think that this secure certification method , that is generated with help of MD5 are secure enough that it can't be faked ... in other words ... if we are visiting citi bank's website then we are sure that its legitimate site ... but now , some people have proved that its quite possible to fake that CA certificate and hence secure sites may not be that secure in future ...
A team of U.S. and European researchers used a computing grid of more than 200 Sony PlayStation 3 video-game machines to create fake certificates and fool a browser into thinking it had a secure connection with a trusted site.
Researchers from California, teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and teams from the Ecole Polytechnique Federal de Lausanne (EPFL) in Switzerland presented a paper Tuesday at the 25C3 security congress in Berlin. They showed that they were able to generate two messages with one digital signature, similar to the process of an older digital-certificate system, using an algorithm called MD5.
A user who visits a Web site whose URL begins with https usually sees a locked padlock in a browser corner, indicating that the site employs a digital certificate issued by one of several trusted certificate authorities. The browser verifies the certificate, using one of several algorithms, including, for some sites, MD5.
The MD5 digital-certificate system is still in use by many sites, and could enable third parties to create fake certificates and fool a browser into thinking it was visiting a secure site. A more modern and secure digital-certificate system is used by many sites.
The vulnerability was first identified four years ago by Chinese researchers, who had created a collision attack by generating two different messages with the same digital signature. But the amount of computing power needed to generate a fake certificate was considered a huge obstacle to anyone attempting to take advantage.
if you like to read more about this .. then have a look here ...
Njoy !!!
0 comments:
Post a Comment