From around the blogosphere…
Sotirov and Applebaum’s SSL research has triggered some debate and lots of different opinions. Here are five different perspectives on this issue we thought were insightful.
Ryan Naraine from Zero Day got a preview of Sotirov and Applebaum’s research (lucky him). What did he and his two guests, Chris Eng and John Viega, think? No big deal and preventative.
Robert Graham from Errata Security looked at the certificates in detail and concludes not all of them are vulnerable to this attack. How about his other post on the poor Versign reaction? Shouldn’t they be a little better at this?
Bruce Schneier from Schneier on Security does not think the attack is a big deal; that SSL does not provide much security, so breaking it’s not an issue. Do you agree that SSL is not what it’s cracked up to be? Pun intended.
Andrew Storms from 360 Security included the SSL hack as one of 2008 Security Highlights, pointing out that these attacks resonate because of a lack of trust. He’s a believer in people like Sotirov and Applebaum and the good they do.
Mordaxus from Emergent Chaos states that MD5 has been broken for more than a decade. He has mixed feelings about the attack. His main question is why are people are still using MD5? Good question – shouldn’t this be scrapped by now?