On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: > > I repeat something I've said a couple times in this thread: If I can > somehow create two docs with the same hash, and somehow con someone > into using one of them, chances are there are bigger problems than a > SHA1 hash collision. > > If you assume I could somehow get Verisign to use a cert I created to > match another cert with the same hash, why in the hell would that > matter? I HAVE THE ONE VERISIGN IS USING. Game over. > > Valdis came up with a possible use of such documents. While I do not > think there is zero utility in those instances, they are pretty small > vectors compared to, say, having a root cert at a major CA.
I want a google.com cert. I ask a CA to sign my fake google.com certificate. They decline, because I can't prove I control google.com. I create a cert for mydomain.com,that hashes to the same value as my fake google.com cret. I ask a CA to sign my mydomain.com cert. They do, because I can prove I control mydomain.com. Now I effectively have a signed google.com cert. Of course, SHA1 is already deprecated for this purpose, and the currently demonstrated attack isn't flexible enough to have much chance at getting a colliding certificate signed. So, practically speaking, this isn't a problem *today* (even if SHA1 were deprecated). So this is more of a "here's the sort of thing collision attacks can be used for" point, rather than "here's what you can do with this attack right now" point. -- Brett