OpenSSL Hit by Forgery Bug

OpenSSL Hit by Forgery Bug 69

Posted by ScuttleMonkey on Monday September 25, 2006 @06:56PM from the fast-fixes dept.

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

OpenSSL Hit by Forgery Bug

This discussion has been archived. No new comments can be posted.

Search 69 Comments Log In/Create an Account

Comments Filter:

Re:old news (Score:2, Interesting)

by dveditz ( 11090 ) writes: on Monday September 25, 2006 @09:36PM (#16194273)

It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest.
Unfortunately it is. While it may be true that few certs are issued with small exponents these days it doesn't really matter. Some of the pre-installed Certificate Authorities use a small exponent and you simply forge *their* signature to create a "valid" cert for any site you like.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

OpenSSL Hit by Forgery Bug 69

OpenSSL Hit by Forgery Bug More Login

OpenSSL Hit by Forgery Bug

Re:old news (Score:2, Interesting)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot