Some of you may have noticed that Firefox upgraded itself over the weekend to 220.127.116.11. Those of you running anything less than 18.104.22.168 need to upgrade ASAP. The vulnerability that was fixed has to do with being able to forge the RSA signatures used to sign SSL certificates. The cynical among you that snickered when Sean Corfield said he got phished will feel really dumb when you’re on a site that appears to have a perfectly valid SSL certificate, and looks to be signed by the right people, and yet is still a forgery. In other words, if you don’t upgrade, all of your browser-sleuthing and security-smarts aren’t going to help you.
If you are using self-signed OpenSSL certificates on your web server, it probably wouldn’t kill you to upgrade to OpenSSL 0.9.8c.
There are three articles worth of explanations as to how the attack works. The first is fairly crypto-heavy, while the third includes pretty pictures and is more for the layperson. (Although, the third assumes you have at least glanced at the first, so it would probably behoove you to at least skim it.)
I consider myself to have a pretty good background in crypto, and if there’s one thing that I’ve learned from it all, it’s that crypto is frickin’ hard. Even the experts sometimes get it wrong.
I’m currently reading Neal Stephenson‘s Baroque Cycle series, and a large chunk of it, like Cryptonomicon, hinges on crypto. Crypto provides a sense of security that isn’t always justified, and empires have risen and fallen on the strengths and weaknesses of their cryptosystems.
Anyone who has always thought crypto would be cool to learn about but has found it to be unapproachable would best be served by starting with Simon Singh‘s The Code Book. Even my non-coder-geek wife really got into it, if that says anything. It’s a great introduction to crypto through the ages and how it evolved.