Fox-It is based in the Netherlands. This makes it likely that the author's native language is not English.
Would you be able to form a coherent thought in Dutch that a native speaker wouldn't find awkward?
First of all, this story should probably link to the actual event site.
Secondly, the results have been available since 11/19/08. This is hardly news at this point.
"The weakest trusted CA in the world compromises the entire public key infrastructure."
That's a slight overstatement. It compromises the entire public key infrastructure for which that CA is the root of trust.
If you removed all MD5-enabled CAs from your trusted roots list, you remove the potential of being fooled by a forged cert. Certs issued by other CAs, unaffected by the brute-force MD5 collisons, remain as trustworthy as they ever were.
Granted, for most people the chain of trust ties back to the default CAs that ship with their browser, and if any of those CAs is vulnerable, your faith in any cert validated as 'trusted' by your browser goes down, and most people don't bother looking at what CA issued the cert so long as their browser deems it trustworthy, but it's a little more nuanced that 'compromises the entire PKI infrastructure.'
I suspect browser patches will be out soon, removing trust for affected CAs entirely, not trusting them past a certain date, or at least giving warnings when MD5 signature verification is found along the chain of trust.
Obligatory link to the Movies featuring Nmap page. Enjoy.
A verbal contract isn't worth the paper it's written on. -- Samuel Goldwyn
