Whoos with GnuTLS and md5-signed certificates
Brian May
brian at microcomaustralia.com.au
Mon Feb 16 00:19:15 UTC 2009
Daniel Kahn Gillmor wrote:
> Are there any concrete proposals for how to deal with this
> systematically within debian without leaving GnuTLS users in lenny
> perpetually gullible to MD5-based forgeries, or improperly-trusted V1
> certificates?
>
Unless you want to "fix" openssl, Firefox, etc, Lenny users will still
be vulnerable even if GnuTLS is fixed.
The sooner MD5 certificates (not counting explicitly trusted self signed
certificates here) are disabled everywhere the better, IMHO.
Yes, this may break stuff. Unfortunately.
--
Brian May <brian at microcomaustralia.com.au>
More information about the Pkg-gnutls-maint
mailing list