[VOIPSEC] MD5 digests and rogue SSL certs - Re: Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?
Dan York
dyork at voxeo.com
Tue Dec 30 10:54:13 CST 2008
Olle,
On Dec 30, 2008, at 11:20 AM, Johansson Olle E wrote:
> I just heard that a group was using vulnerabilities in MD5 to crack
> SSL by using rogue certificates.
Yes, I saw tweets from http://twitter.com/security4all that were
talking about this presentation (I assume) as it was occurring.
Sounded quite interesting (and scary).
> It's really high time to move away from MD5 digests in SIP - the
> problem is how to use another algorithm in the HTTP digest challenge/
> response. And using SSL with certificates ... let's wait and see...
Right... and the fact still remains that many folks are using SIP out
there *without* digest authentication anyway. (It would be interesting
to try to gather stats on the usage - or not - of various forms of
authentication in SIP.)
Dan
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free
More information about the Voipsec
mailing list