Simon Willison’s Weblog

Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.

# 30th December 2008, 3:27 pm / collisions, edfelten, equifaxca, hashes, md5, security, ssl

Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature.

# 29th September 2008, 1:08 pm / bill-zeller, csrf, edfelten, ingdirect, metafilter, new-york-times, security, youtube

Radiohead Album Available for Free, But Fileshared Anyway. “Why are some people getting In Rainbows from P2P rather than the band’s site? Probably because they find P2P easier to use.”

# 18th October 2007, 5:39 pm / edfelten, filesharing, inrainbows, music, p2p, radiohead, usability

E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.”

# 20th August 2007, 3:19 pm / edfelten, evoting, pr, security

HBO Exec Wants to Rename DRM. “... until recently nobody had complained that the term ’Digital Rights Management’ was insufficiently Orwellian.”

# 11th May 2007, 3:47 pm / drm, edfelten, hbo, orwellian