We have had some questions recently about the news that Berlin researchers had "broken SSL" by exploiting weaknesses in the "MD5" algorithm. Some of the news reports were alarming, and seemed to imply that worldwide electronic commerce was in grave danger as a result of their discovery.
While the weakness of MD5 has been known for a long time, the big news from Berlin was about how the team of security researchers and a room full of 200 Playstation 3 units managed to use those weaknesses to generate a counterfeit SSL certificate.
In theory, the researchers could have set up a fake https://www.paypal.com, and if they subsequently directed visitors to it (via DNS Poisoning or some other redirection exploit), their fake site would be indistiguishable from the real thing.
But here's what the news doesn't mean.
- It doesn't mean that MD5-signed certificates already in use are "vulnerable" to something. There is no new exploit expressly designed to hack into sites utilizing MD5-signed certificates, for example.
- It also doesn't mean that the encrypted communication between site visitors and web servers with MD5-signed certificates is any less secure.
If your Modwest purchased-and-hosted certificate is MD5-signed, we will be happy to reissue and reinstall it upon request. Although your certificate is still secure, if you'd prefer a re-issued (non-MD5) certificate, just contact support and we'll take care of it.
To identify whether your SSL certificate is MD5-signed, you could use the SSL Blacklist Firefox plugin (despite its alarming warnings). Or visit your site securely (HTTPS-mode), double-click the SSL padlock, and look in the Details section for the 'Certificate Signature Algorithm'.
For more information, see this FAQ from RapidSSL or Verisign's Blog for even more details and debate.
-JM
Subscribe to this blog's feed
Comments