Wednesday, December 31, 2008

MD5 Considered Harmful Today or Don't Put Too Much Faith in PKI

A group of 7 security researchers from the United States, Switzerland, and the Netherlands has released details of an exploitation ("MD5 considered harmful today") in the now well-known MD5 Hash Collision vulnerability that would allow a rogue web site to issue a rogue SSL certificate... as well as a rogue signing certificate that is trusted by a valid root Certificate Authority.

Putting that all into English (or at least non-geekspeak):

"Secure" web sites can be impersonated by evildoers, even with the cute little lock icon and a completely "valid" certificate as far as your browser is concerned. This web site could be your bank.

The paper discusses countermeasures, mostly aimed at Certificate Authorities (CAs) and browser vendors. One thing you can do is look at your certificate chain for critical sites to see if MD5 is used by the CA's signing certificate.

The Mozilla developers are already working on a patch for Firefox, et al.: