, 2009-01-05
A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.
Expand all |
Post comment
MD5 Hack Interesting, But Not Threatening
2009-01-06
Charlie Miller (1 replies)
Charlie Miller (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-06
Robert Lemos (5 replies)
Robert Lemos (5 replies)
MD5 Hack Interesting, But Not Threatening
2009-01-08
Charles Hunter (1 replies)
Charles Hunter (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-09
Robert Lemos (2 replies)
Robert Lemos (2 replies)
We did in fact notify Verisign and all other affected certificate authorities through Microsoft, who agreed to serve as an intermediary. The CAs were notified a week before the presentation. Verisign was made aware that we've made improvements to the MD5 collision attack published in 2007 and that they should stop using MD5 as soon as possible.
I have published a complete timeline of our contacts with Verisign, including all information we've given them and their responses:
http://www.phreedom.org/blog/2009/verisign-and-responsible-d
isclosure/
The claim that Verisign was "not given any information on the research prior to its unveiling in Berlin" is simply not correct.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/488/35297#35297