, 2009-01-05
A few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem.
Expand all |
Post comment
MD5 Hack Interesting, But Not Threatening
2009-01-06
Charlie Miller (1 replies)
Charlie Miller (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-06
Robert Lemos (5 replies)
Robert Lemos (5 replies)
Verisign were notified about this work prior to the presentation
2009-01-06
Alexander Sotirov (1 replies)
Alexander Sotirov (1 replies)
MD5 Hack Interesting, But Not Threatening
2009-01-08
Charles Hunter (1 replies)
Charles Hunter (1 replies)
Re: MD5 Hack Interesting, But Not Threatening
2009-01-09
Robert Lemos (2 replies)
Robert Lemos (2 replies)
Because SHA-256 is not well supported in some environments. Migration to SHA-256 will happen because it must, but folks are just now waking up to it.
Most also have their heads in a very dark place concerning older certs that won't expire for years.
IMO venders should pro-activley re-config to gen SHA-256 Certs. Contact all holders of SHA-1 certs, offer to replace all old SHA-1 certs with new SHA-256 certs with the same expiration for free or if you cert expires shortly you can pay for a band new one. Good cust serv and new revenue model.
Of course the vendors will have to advise customers how to upgrade their systems if the users systems don't support SHA-256.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/488/35302#35302