MD5 Hash Algorithm Flaw Allows Fraudulent Certificates (December 30 & 31, 2008 & January 5, 2009)
A vulnerability in the MD5 hash algorithm used to generate digital certificates could allow cyber criminals to generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be legitimate. The problem was the subject of a presentation at the chaos Communications Conference in Berlin last month. Certificate authorities that use MD5 hashes should change to SHA1 hashes to protect their certificates' integrity. A number of certificate authorities are still are using MD5, and some estimates say that 14 percent of all websites are using certificates generated with MD5.
http://isc.sans.org/diary.html?storyid=5590&rss
http://gcn.com/Articles/2008/12/31/SSL-certs-busted.aspx?p=1
http://www.securityfocus.com/news/11541
http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate--/news/112327
http://www.securityfocus.com/brief/880
[Editor's Note (Honan): This attack should not come as a major surprise as weaknesses in the MD5 hash algorithm have been known since 2004. The SANS Internet Storm Center has a good write up of the issue with a list of vendor statements regarding the status of their certificates at
http://isc.sans.org/diary.html?storyid=5590.
You can also use this site http://www.networking4all.com/nl/helpdesk/tools/site+check/ to check what SSL certificates are being used by a site you are visiting.]
No comments:
Post a Comment