Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
MD5 Hack Interesting, But Not Threatening
Tim Callan, 2009-01-05

A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.

Comments Mode:
MD5 Hack Interesting, But Not Threatening 2009-01-05
Anonymous (1 replies)
Whoever wrote this is such a tool. Verisign is EVIL company that charges a lot of money for NOTHING. The problem is Verisign is given a monopoly by the US government....

[ more ]  [ reply ]
Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
I agree - any MD5 collision make that insecure period case closed - sha2 was also cracked - Do not use md5 or sha1 or sha2 ...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-01-06
Charlie Miller (1 replies)
Since when are marketing folks allowed to talk about security on a security site? Next time there's a remote in Vista, I hope we get to hear from MS marketing about how it is not threatening....

[ more ]  [ reply ]
Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Robert Lemos (5 replies)
Hey Charlie:

SecurityFocus has started running guest columns about once a month. Because of the SSL issue, VeriSign was given a invitation to respond in a column.

I can understand your initial reaction. However, rather than focus on the title of the author, I would focus on the content. Is thi...

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous (1 replies)
I would agree with Charlie's point of view on this one. Bad optics. The site seriously needs to get back to computer security instead of what is presently being offered as seen in its present columns. This has been echoed enough times already....

[ more ]  [ reply ]
Re: Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-12
Anonymous
Agreed. I'm losing any respect for SecurityFocus now that they are becoming a marketing shill instead of presenting the real issues of information security....

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-06
Anonymous
all certs moving forward are OK but what about older certs? the vuln still exists, although from reading this article, that point is downplayed severely. With the ease of ARP spoofing many places and the sluggishness at which many organizations will phase out the old MD5 based certs, there will be a...

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-08
Anonymous
While I do appreciate information such as ``we picked up the researcher's suggestions'' and ``we offer to replace old MD5 certificates'', other comments should not appear on a security site such as this.

I'm specifically talking about the ``it took the researchers a month and cost them some money...

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-22
Anonymous
Robert we have heard a lot about you. Security Focus should BAN ALL VP of Marketing to post up any writings because its a commercial. its a propaganda that Verisign is a good company or any of that Just tell them to turn around and go home! Dont invite the virus to enter you; defend against it! Plea...

[ more ]  [ reply ]
When is it "threatening"? When they post your bank statements as part of the presentation? 2009-01-23
Anonymous
Robert,

The problem is that the only appropriate title for the article would be something like "Verisign's response to SSL Cert issue", NOT "Interesting, but not threatening."

The title of the author is also relevant - this guy's JOB is damage control.

An official response is one thing. S...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-01-06
Margot (1 replies)
After this column of smoothtalk I certainly do not trust Calan or Verisign anymore.

Since mid-1990s MD5 is considered weak, in 2004 it was proven again by example and again in 2007 and 2008. Now Calan claims it takes much time to change from MD5. Sure, but not 15 years, not 10 years, nor 5 years....

[ more ]  [ reply ]
Re: MD5 Hack Interesting, But Not Threatening 2009-01-07
Anonymous
"For instance, SHA-1 is already considered weak! Why then not mentioning this and why then still switching to SHA-1 ?"

Because SHA-256 is not well supported in some environments. Migration to SHA-256 will happen because it must, but folks are just now waking up to it.

Most also have their he...

[ more ]  [ reply ]
Verisign were notified about this work prior to the presentation 2009-01-06
Alexander Sotirov (1 replies)
I am one of the researchers who presented this work at the CCC congress in Berlin.

We did in fact notify Verisign and all other affected certificate authorities through Microsoft, who agreed to serve as an intermediary. The CAs were notified a week before the presentation. Verisign was made aware...

[ more ]  [ reply ]
Re: Verisign were notified about this work prior to the presentation 2009-01-07
Ichinin (4 replies)
>The claim that Verisign was "not given any information on the research prior to its unveiling in Berlin" is simply not correct.


In large organisations it takes a while for information to be absorbed and distributed through the right channels. It is very unlikely that once Microsoft got the inf...

[ more ]  [ reply ]
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
Excellent point...

[ more ]  [ reply ]
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-07
Anonymous
"In large organisations it takes a while for information to be absorbed and distributed through the right channels. It is very unlikely that once Microsoft got the info, they threw themselves on the phones and called someone at Verisign. And even then after the information entered the organisation, ...

[ more ]  [ reply ]
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
This, and the merger as an excuse for not switching away from MD5, sounds like bad management is the real thread to security here. Corporations working in the security sector cannot afford for a critical bit of information to be floating around the office for weeks prior to getting to the right pers...

[ more ]  [ reply ]
Re: Re: Verisign were notified about this work prior to the presentation 2009-01-08
Anonymous
Sorry, I have to call shenanigans on the part of Verisign and company.

If you're a security company selling a product that makes the claims that Verisign does it is their responsibility to alert their customer base to any exposure, no matter how insignificant, and to give them various options to ...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-01-08
Charles Hunter (1 replies)
For these guest vendor columnists, could we please make a sub under the headline that says "Guest industry columnist" or something like that? Or perhaps make the by line say, in this case, "Tim Callan, Verisign"
I had a really bad taste in my mouth from that article. I believed going in that Mr. C...

[ more ]  [ reply ]
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Robert Lemos (2 replies)
Hey Charles:

Can you let us know how you found the VeriSign column? We try to make sure that any distribution channel marks these pieces as a column or opinion piece to stress that they are opinions.

If you came via the SecurityFocus front page, the "article" as you call it, is clearly labeled...

[ more ]  [ reply ]
Re: MD5 Hack Interesting, But Not Threatening 2009-01-09
Anonymous (1 replies)
Come on Rob, he's not saying he was confused whether it was a neutral news piece or a opinionated column. He knew it was a column but wants you to note up front that the columnist has a very personal stake in the subject of the column.

I'm with him, I started reading this thinking it was an obje...

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-14
Anonymous
Take the criticism you are seeing here as one that is constructive. This site has been going downhill for some time. You may also want to add some blogs that are useful. Having emergentchaos here is really pointless as they have not written any useful. Why have them? Perhaps ask someone like Aitel o...

[ more ]  [ reply ]
Re: Re: MD5 Hack Interesting, But Not Threatening 2009-01-16
Charles Hunter
Robert,

Sorry for the late reply. To answer your question, I found the column directly from the main page.

As one other person noted in this thread, I wasn't confused that this was a columnist, I was annoyed that the person's role/background/influece wasn't disclosed up front.
Like I said,...

[ more ]  [ reply ]
Hilarious Corporate Spin! How about some real answers? 2009-01-10
Anonymous
This "column" is a total misplaced piece of propaganda. It's PR spin, plain and simple. It does not bring any clarity to the subject at hand.

What about all of the certificates that RapidSSL and Verisign issued since 1996? And since Wang's attack in 2004? And since 2007?

How many of the submit...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-01-12
xort
I found this article to be not much more then a waste of space on security focus. I would think someone from verisign would have more since then to say this is not a serious issue. The simple fact of the matter is, there are people out there with the computational power to successfully recreate atta...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-01-12
Chris Fahey
I can appreciate the editor/publisher wanting to be objective and give the SA industry to respond to the news that MD5 is weak. However, this article lacked objectivity and a critical thought process which is essential in understanding security and secure practices. In the future I'd suggest the edi...

[ more ]  [ reply ]
Serious suggestions welcome... 2009-01-15
Robert Lemos
Several people have offered criticism of this column, in particular, and of certain other aspects of the SecurityFocus site as well (blog mix and column mix are two that come to mind).

Because it's hard to have a dialog in the comments section of an unrelated column, I wanted to make sure to let ...

[ more ]  [ reply ]
MD5 Hack Interesting, But Not Threatening 2009-02-02
Jamie
Meanwhile Chris Wysopal takes a completely different view, merely two articles above this one. I know who I'm inclined to trust here - especially since I don't believe a word Verisign says since the whole sitefinder debacle....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus