Friday, March 25, 2005

MD5 vs. SHA1

MD5 digest algorithm is dead. It have been proven to be totaly insecure. What people doesn't realise is that MD5 weakness will have great impact on SHA1. Why? If CA use SHA1 to sign itself and issued certificates, it is possible to create certificate and forge signature so it will look like CA issued that certificate, but with MD5 digest alg. Before we fix all security applications that doesn't check this security threat, large demage will be done.

Reference: http://www.win.tue.nl/~bdeweger/CollidingCertificates/

Monday, March 21, 2005

The future of PKI

Today, PKI rely on prime numbers. Humans know very little about prime numbers. We can only take all numbers in a range (from 10000000000 to 999999999999) and prove if some of those numbers are prime.

One day someone figure out how prime numbers work: it will be the end of PKI. The end of SSL, X.509 certificates, digital signature and encryption as we know it.

Think about that.

Tuesday, March 15, 2005

Unicode URL Attack

Your browser will likely show two different URLs as the same URL, if one of them is unicode version:

Demo website:
http://www.shmoo.com/idn/

Notice that URL displayed in the address bar of your browser is the same, but links navigate to different web pages!