Results tagged “software”

This news is a couple weeks old, but I wanted to mention it anyway. Several years ago I mentioned a flaw in MD5. Seeking a proof of concept, a team of researchers successfully forged a CA certificate that could sign any certificate they desired. The resulting certificate would be implicitly trusted by all major web browsers. The team presented their results at the 25th Chaos Communication Congress last month in Berlin.

I wanted to briefly describe their ingenious technique but gave up after realizing how many prerequisite concepts I'd need to introduce. Read their excellent paper if you're interested in the details. The team used a farm of PlayStation 3 consoles to compute a CA certificate that collided with a carefully crafted certificate issued by RapidSSL.

There's no immediate risk to users. This development is primarily a wakeup call to certificate authorities to stop relying on MD5 immediately. MD5 is broken.

I'm proud to say that this blog does not run PHP or MySQL!

PHP is the most prevalent web programming language thanks its ease of installation and popularity among web designers. MySQL is the most common open source database management system (on web sites, at least). Both are horrid pieces of software haphazardly thrown together. I'll surely rant about them later.

This blog is powered by Apache, Perl, PostgreSQL, and Movable Type with a little help from mod_include, all running on Ubuntu. (Alas, the FreeBSD VPS hosts were not as appealing.) I may be stuck using PHP and MySQL at work, but at least I can liberate myself at home!

Some exciting and disturbing news surfaced this week. Computer Scientists from France and China have uncovered flaws in the MD5 and SHA-0 hashing algorithms. Though still preliminary, these findings suggest that an attacker could produce a hash collision in a short timeframe on a household PC. The security implications are quite serious. Apache, for example, signs its releases on mirror sites with MD5 checksums. An attacker could, in theory, incorporate malicious code in such a way that the compromised Apache distribution would yield the same MD5 signature.

The discovery of a similar flaw in SHA-1, which is widely used in PGP and SSL, may have been announced last Tuesday at Crypto 2004 in Santa Barbara. I could not find any related articles, however.

I just ran into a fascinating and insightful discussion about web applications and the future of computing. The article includes lots of good dialog and many links to other related articles. My favorite is an article written by Joel Spolsky earlier this month: How Microsoft Lost the API War. His article touches on such diverse topics as backwards compatibility in the Windows API, the sudden stall in Internet Explorer development a few years back, the .NET framework, Microsoft's "bad bets" in the upcoming Longhorn, and the decline in rich clients. Enjoy!