15 February 2013

I just came across  Symantec SSL certificates feature cryptography 10k times harder to break than RSA-bit key and Symantec/VeriSign Expands Encryption Options For SSL Digital Certificates (http://www.darkreading.com/authentication/167901072/security/encryption/240148562/symantec-verisign-expands-encryption-option+s-for-ssl-digital-certificates.html).

I must say, I am stunned. AFAIK no certificate has been "broken" yet, and those few ones what have, were implementation errors or via MD5 collision attacks. And then there are plain hack-into-their-system and steal the private keys attacks, like DigiCert. There are a few others most likely.

The problem is not the encryption of the SSL certificate, present SSL encryptions are strong - again, most of them, MD5-based SSL certificate hashes are considered broken (or anything MD5 based in general), and also the recent "Lucky 13" when using a specific cipher.

There are still enough ciphers out there to make existing SSL certs good enough. Deploying a new cipher takes time and is new code, what has not been (security)tested yet.

Attackers will always attack the weakest link, and this is not by bruteforcing the cipher, in most cases they go after the human.

blog comments powered by Disqus