OpenSSL Hit by Forgery Bug

Posted by ryuzaki0 on Monday September 25, 2006 @10:56AM from the fast-fixes dept.

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

1 of 69 comments (clear)

Min score:

Reason:

Sort:

Re:old news by dveditz · 2006-09-25 13:36 · Score: 2, Interesting

It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest.
Unfortunately it is. While it may be true that few certs are issued with small exponents these days it doesn't really matter. Some of the pre-installed Certificate Authorities use a small exponent and you simply forge *their* signature to create a "valid" cert for any site you like.