MD5 CA hack and the PS3

December 30, 2008 11:57 AM EST

If you haven't heard, a security research group has created a hack using a weakness in the MD5 hash algorithm to create "valid" certificates that will be trusted by your browser (here is a site with some good demos of the process).  Basically, they are generating a certificate through a bogus Certificate Authority (CA) that is identical to one generated by a valid CA, and your browser has no way of knowing the difference.  The good news is that most CA's now use SHA-1 as their hash algorithm, but there are still a few CA's that use MD5.

But what I thought was a funny tidbit about the hack is that the researchers constructed the attack "using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles" (emphasis added).  Yep, that's right - PS3's.  I picked up on this because over a year ago I wrote a short post here at Computerworld about a story that talked about the New Zealand-based security researcher Nick Breese using the PS3 "to crack passwords at speeds 100 times greater than Intel hardware is capable of."

I said this in that post:

[N]o one is really saying that this is a real and current threat to Windows passwords and SSL.

And because the Playstation is cheaper than your typical PC, it could become something to think about in the future.

Though I am not saying that hackers are going to start buying PS3's in bulk and use them for cracking SSL, I can say that it now looks like this is a more viable option.  And I am sure Sony won't object.