Twitter SSL Fail… Again!

Posted by Tyler on January 15, 2009
SSL Fail Images, SSLFail

Given my last post on ssl_error_bad_cert_domain error you probably wouldn’t expect me to post another one so soon, but I thought that this really demonstrated my point. Mike Murray posted to twitter earlier today that something was up with their SSL and asked if perhaps it was a compromise of sorts.  Tonight he sent us a a copy of the image. Mike’s a bright guy and well known in around InfoSec, if this made him question what was going on then I think it’s safe to say that these SSL error messages are a hindrance to our day to day use of the web.

I know I’ve already posted a Twitter SSL Fail in Chrome, but here’s the image Mike sent:

Twitter SSL Fail Image

Twitter SSL Fail Image

Tags:

2 Comments to Twitter SSL Fail… Again!

Pat Murphy
May 20, 2009

As of May 20, 2009, https://twitter.com/ has a cert that is signed with the MD5 algorithm. Search any geek news site for “ssl md5″ and you’ll see this is NOT a good idea anymore.

Tyler
May 20, 2009

@Pat

I think you should take note of this FAQ Question & Answer (from: http://www.win.tue.nl/hashclash/rogue-ca/)

Question: What should websites do that have digital certificates signed with MD5?

Answer: Nothing at this point. Digital certificates legitimately obtained from all CAs can be believed to be secure and trusted, even if they were signed with MD5. Our method required the purchase of a specially crafted digital certificate from a CA and does not affect certificates issued to any other regular website.

Leave a comment

WP_Big_City