Comments on: Web browser flaw could put e-commerce security at risk

Key piece of Internet technology that banks and e-commerce sites rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers reports.

[UnnDunn]

To me, this doesn't seem to be that big of a deal, considering the resources and organization required to pull off this attack, and the fact that it is relatively easily-blunted.

[Pishkado]

Resources? Today's :"two weeks on a network of 200 PS3s" is next year's "a day on a high-end gaming system" (especially if you can harness its GPUs!) and the year after's "ten minutes on a standard home computer." Computing resource requirements have never been a long-term barrier to anything. If people don't start fixing it now, this problem will still be around in 2012 - when the computing required to forge a certificate will be trivial.

[amadensor]

Two weeks on 200 PS3's, but how long on a bot net of thousands of zombie machines?

[umbrae]

It is a big deal. There is a Trojan in the wild being used now that uses the NIS layer to create a fake DHCP server to alter DNS and affect other machines. Imagine an infected laptop entering Starbucks: instantly all the PCs/Phones/whatever would have poisoned DHCP information and be controlled. Point the DNS to a bank site with a forged cert and you are pretty much damned a lot of people.

[Astinsan]

Not to mention bot nets. I can look at my web traffic and see all of them trying to find vulnerabilities in almost every web script/server/os flaws. There are more than 500 ips doing the attacks. They free for the people who know how to command them.

[umbrae]

Man, I have not had a MD5 cert in a while. I wish auth's would be sure to drop older formats. Nothings secure, but MD5 should not be issued anymore.

[bob1xxxx]

Really cnet has got to rein in these "al znore" style lets scare the crap out of the most people with a false issues blog reports. These "reports" are solely design to generate hits for the posting blogger and cnet and is one of the shabbest forms of journalism. Cnet before you totally destroy what tiny bit of creditablity you have left stop these stupid the "world is ending" blog posts you looking dumber and dumber by the day.

[JoeF2]

It is obvious that you don't know anything about the Internet and security on the Internet in particular.
Watching stupid TV shows all day, eh?
May I suggest getting an education for a change?
This is an important issue, and I am glad that this is reported in the more mainstream publications and not just on Bugtraq (I doubt that you know what Bugtraq is, though.)

[vanbroup]

Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm

Example:
https://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

You can check all sites on:
https://www.networking4all.com/en/support/tools/site+check/

[Penguinisto]

Hrm - I wonder why no mention has been made of Blowfish:
http://www.schneier.com/blowfish.html

[abpend]

Apples and oranges: MD5 is a hashing function, whereas Blowfish is a block cypher.

[mbenedict]

Please stop posting nonsense (yet again). Not only Blowfish isn't a hash, even Schneier doesn't recommend its continued use.

[Will_in_BC]

Many phishing attacks originate simply from email so the vulnerability is of concern without redirection attacks such as the DNS cache poisoning flaw.

The team has published an outstanding write up of their work at

http://www.win.tue.nl/hashclash/rogue-ca/

which I would highly recommend reading as it provides an excellent introduction to the public key infrastructure on which we all depend as well as a detailed account of the vulnerabilities and their exploits.

[cerebral_but_dull]

My identity has been stolen 3 times so far this year and yet we are racing headlong toward 100% dependancy on web browsing for all transactions. My state, NJ, requires every business to use the web to pay every fee and tax online through e-transfer from their bank account, refusing to consider the safety valve of manual payment. So these issues are beyond crucial, and there can never be enough coverage of them. I know that the full contents of my accounts will be transferred to a scammer overseas in the pretty near future but I'd like to forestall it for a year or two if possible.

[Lerianis]

Hate to say this, but if your identity has been stolen THAT MANY times..... You have gotta be doing something to enable your identity to be stolen, in all bluntness.
I also find it hard to believe because, if your identity has been stolen, automatic warnings are put on your credit reports saying "Get verification first!"

[cerebral_but_dull]

I didn't mean that my credit card was used three times, I meant personal identity info was stolen 3 times. First Horizon/Blue Cross lost my files to a subcontractor. Second Hudson City Savings lost my files to a subcontractor. Third I visited one of America's most secure facilities, had to tell security department everything about me, and keystroke loggers were installed on their computers. If you send email to professionals that say "Click to see nude pictures of Lola", they won't fall for it these days. But if you make a good guess what conference they have registered for and write "We regret to advise that due to a sudden speaker cancellation, the times for several lectures you signed up for have changed. Attached is the revised schedule" then they do and did fall for it.

[hawkeyeaz1]

The title of the article is really misleading, as it is not a browser flaw, but a certification flaw.

[n3td3v]

It's funny when the readers have a bigger clue than the journalist writing the stuff.

[Arnold Reinhold]

Vendors should have stopped using MD5 years ago. And now they shouldn't switch to SHA1, which is marginal, but should go to SHA-256 which still has an adequate margin of safety. 256 bits is the smallest size that SHA-3 will support anyway, and that's still 5 years out.

[GardenLobster]

I love the picture of the hackers - geeks like this are hawt!