[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] how would browser vendors deal with $O(10^k)$ fake certs?



On Wed, 13 Apr 2011, Marsh Ray wrote:

> Only in cases where the element is found though, the last bit only needs 
> to be checked if all the preceding bits matched. In the normal 
> (non-attack) case the "s3r34l number" isn't found.

It depends on whether one talks about the worst-case complexity 
or about the average-case complexity.

Anyway, there is much more computation beyond the mere blacklist search:  
it is necessary to receive the certificate from the network (all bits must
be read on order to complete the handshake) and to verify its digital
signature (all bits must be hashed) or to find it in some kind of cache
of verified certs (a positive result is needed here, therefore all bits 
must be checked and match).

-- 
Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/