Cipher Issue 88, January 2009, Editor's Letter

Dear Readers,

The widely reported "Rogue CA" demonstration carried out by researchers in the Netherlands illustrates several things about the current state of security on the Internet. There is an interesting clash between the rather fast pace of cryptologic research and the slower pace of changing Internet practices. The exploit demonstration was foreseeable and inevitable from the time that an MD5 hash function "collision" was demonstrated several years ago. Despite the ready availability of replacement functions, MD5 remains in common use as a part of digital signatures and chains of trust in network browsers. The Internet, so agile and open to innovative applications, is a quagmire when it comes to erasing security weaknesses.

At the end of February, the National Institute of Standards and Technology (NIST), will hold a "SHA3" conference in Leuven, Belgium, to begin the selection process among dozens of candidates for a new hash function standard. One has to wonder at what date the winning function will be widely deployed.

In this issue Richard Austin reviews a book on the interesting topic of security visualization. Though I often suspect that most computers and networks harbor nightmarish security scenes, I think that most objective security professionals will welcome this direction in dealing with security monitoring and assessment.

Finally, never confuse "phishing" with "ghotiing",

    Hilarie Orman
    Cipher Editor