Gene Spafford considers a new flaw in Internet security.
Follow-up on the CA Hack
News that the MD5 has function may have a vulnerability that can be exploited, and a false certificate created.
A posting by several authors has claimed to have.... identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.