BetaArchive Logo
Navigation Home Database Screenshots Gallery Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 8d, 12h, 53m | CPU: 7% | MEM: 5759MB of 12287MB used
{The community for beta collectors}

Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 
Author Message
 PostPost subject: MD5 considered harmful today        Posted: Tue Dec 30, 2008 7:41 pm 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12564

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
MD5 considered harmful today

Quote:
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

Source and more: http://www.win.tue.nl/hashclash/rogue-ca/

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject: Re: MD5 considered harmful today        Posted: Tue Dec 30, 2008 7:51 pm 
Donator
User avatar
Offline

Joined
Tue Aug 12, 2008 7:37 pm

Posts
2381

Location
United States
i don't know what is more interesting, the article or hte fact that 200 mroe views occured while i skimmed through it.

i personally have every fraud feature disabled, i dont use anything that involves anything important really and its all in my favorites menu.


Top  Profile
 PostPost subject: Re: MD5 considered harmful today        Posted: Thu Jan 01, 2009 6:46 pm 
Donator
Offline

Joined
Sat Oct 04, 2008 5:43 pm

Posts
1237

Location
Milky Way Galaxy

Favourite OS
Windows Server 2012 Dtc
I know how to find MD5 collisions, and I've covered them all in my website.

Its a website for people buying stuff, and you have to have a digital certificate to log-in.

I won't tell you my website, because its computer related, and I've only reserved 1 T5 connection for it, and its almost full anyway. no need to buy a second T5 connection. Most people dont know how expensive those thing are :P

BTW: if you use a MD5 collision while decrpting a archive, etc., it will accept the password but wont work.

_________________
See my profile for my website link.


Top  Profile  WWW
 PostPost subject: Re: MD5 considered harmful today        Posted: Sat Jan 03, 2009 11:28 am 
Donator
Offline

Joined
Fri Oct 26, 2007 5:12 pm

Posts
2461
motherboardlove wrote:
I won't tell you my website, because its computer related, and I've only reserved 1 T5 connection for it, and its almost full anyway. no need to buy a second T5 connection. Most people dont know how expensive those thing are :P


I'm sorry, unless I've missed something, you continually brag about these yet you never show your website or whatever. ^o)


Top  Profile
 PostPost subject: Re: MD5 considered harmful today        Posted: Thu Jan 15, 2009 12:15 am 
Donator
User avatar
Offline

Joined
Mon Sep 04, 2006 1:06 pm

Posts
1004

Location
USA
motherboardlove wrote:
I won't tell you my website, because its computer related, and I've only reserved 1 T5 connection for it, and its almost full anyway. no need to buy a second T5 connection. Most people dont know how expensive those thing are :P


Honestly, a T5 (aka DS5, right?) has over 400mbit of bandwidth. You're telling us that your website is that popular?

_________________
-Jeff


Top  Profile
 PostPost subject: Re: MD5 considered harmful today        Posted: Thu Jan 15, 2009 9:59 pm 
Donator
Offline

Joined
Sat Oct 04, 2008 5:43 pm

Posts
1237

Location
Milky Way Galaxy

Favourite OS
Windows Server 2012 Dtc
Jeff wrote:
motherboardlove wrote:
I won't tell you my website, because its computer related, and I've only reserved 1 T5 connection for it, and its almost full anyway. no need to buy a second T5 connection. Most people dont know how expensive those thing are :P


Honestly, a T5 (aka DS5, right?) has over 400mbit of bandwidth. You're telling us that your website is that popular?


Its my beta site, and I want people to be able to donwload ASAP, (These are not from BA!) so I have like... 4 GB files. Some people are telling me that its getting slower.

_________________
See my profile for my website link.


Top  Profile  WWW
 PostPost subject: Re: MD5 considered harmful today        Posted: Thu Jan 15, 2009 10:27 pm 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12564

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
OK, lets see here...

1. You refuse to tell us your website. This generally gives the idea there is no actual website and you're making things up.
2. A so-called T5 line (400Mbps) would cost over £800/month in bandwidth costs, and thats before the hardware required to run it.
3. You're on BA rather than your own beta site? That in itself makes no sense.
4. You want to let people download ASAP? BA lets you do that as well with only 100Mbps bandwidth thats rarely utilised to 20%. Unless you have 500% more visitors than BA at the LEAST, you have no chance of pulling that sort of bandwidth.

Sorry but I find this hard to believe.

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject: Re: MD5 considered harmful today        Posted: Thu Jan 15, 2009 10:44 pm 
Administrator
User avatar
Offline

Joined
Tue Feb 12, 2008 5:28 pm

Posts
7927
I have to agree on this, it sounds a bit... odd. I mean, if you're running a beta site then why not share it? And if it's so popular that you need such bandwidth then it would only become more widespread and known, which would be instant rep for you too. No harm in sharing beta resources. 4GB files? We got them here too. Lots of them. Some files are even bigger than that, even twice or three times. We still don't run the BA bandwidth to the ground so much that it needs such connection.

But fine, perhaps your site is secret and only for exclusive members that has a very high bandwidth connection. That would sure require a fast connection if you want to guarantee that everyone gets a high speed download. But I don't see the need for secrecy. At worst we would be greeted with a login window, at best with an another good beta site which would be beneficial for both of us.

Your choice tho. But a "I won't tell you anything" attitude isn't the best way to get friends anywhere. If you want to keep your site a secret that's fine,but don't mention it at all and it will not cause any annoyance among those that read about it. Otherwise you're just creating a "we are better than you" elitism atmosphere which isn't beneficial for either of us.

Good luck with your site tho.

_________________
Image
Official guidelines: The Definitive Guide to BetaArchive :: Abandonware
Tools: Alcohol120% (Portable) :: DiscImageCreator
Listings: BetaArchive Database (beta)
Channels: Discord :: Twitter


Top  Profile  WWW
 PostPost subject: Re: MD5 considered harmful today        Posted: Fri Jan 16, 2009 12:54 am 
FTP Access
User avatar
Offline

Joined
Sun Nov 16, 2008 5:24 pm

Posts
198

Favourite OS
Mac OS X 10.6.3 :D
I also know about how to find and generate md5 collisions, but I'll share what I know.

There's a nice example of a md5 collision with a program that one echos hello and the other simulates a fake virus
here with a explaination of how the bytes collide:
http://www.mscs.dal.ca/~selinger/md5collision/

To generate your own file with a collision go here:
Pre compiled windows generator with an output of two different files with the same MD5 but
different SHA-1, etc...
http://www.win.tue.nl/hashclash/ (Source code and compiled app available on page as link)



Here's a nice example I made
Code:
fastcoll---.exe -p "filezilla-3.2.0.exe" -o "filezilla1.exe" "filezilla2.exe"

Output is filezilla 1 and 2.exe, both same md5 but different hash on other hash crypts (ex. sha-1, whirlpool, etc...)

_________________
Image


Top  Profile  WWW
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 




Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2019

 

Sitemap | XML | RSS