Steve Bellovin on the MD5 Collision attacks, more on Wired

David G. Koontz david_koontz at
Tue Dec 30 15:11:09 EST 2008

Steve mentions the social pressures involved in disclosing the vulnerability:

Verisign, in particular, appears to have been caught short. One of the CAs
they operate still uses MD5. They said:

    The RapidSSL certificates are currently using the MD5 hash function
  today. And the reason for that is because when you're dealing with
  widespread technology and [public key infrastructure] technology, you have
  phase-in and phase-out processes that cane take significant periods of
  time to implement.

[4 years?]

Legal pressure? Sotirov and company are not "hackers"; they're respected
researchers. But the legal climate is such that they feared an injunction.
Nor are such fears ill-founded; others have had such trouble. Verisign isn't
happy: "We're a little frustrated at Verisign that we seem to be the only
people not briefed on this". But given that the researchers couldn't know
how Verisign would react, in today's climate they felt they had to be cautious.

This is a dangerous trend. If good guys are afraid to find flaws in fielded
systems, that effort will be left to the bad guys. Remember that for
academics, publication is the only way they're really "paid". We need a
legal structure in place to protect security researchers. To paraphrase an
old saying, security flaws don't crack systems, bad guys do.


The researchers provided information under NDA to browser manufacturers and
Microsoft contacted Verisign providing no real details
( , the Wired article.):

Callan confirms Versign was contacted by Microsoft, but he says the NDA
prevented the software-maker from providing any meaningful details on the
threat. "We're a little frustrated at Verisign that we seem to be the only
people not briefed on this," he says.

The researchers expect that their forged CA certificate will be revoked by
Verisign following their talk, rendering it powerless. As a precaution, they
set the expiration date on the certificate to August 2004, ensuring that any
website validated through the bogus certificate would generate a warning
message in a user's browser.


The 2007 paper

Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different
Identities, Marc Stevens , Arjen Lenstra , and Benne de Weger

(also from the Wired article)


Nate Lawson's comments
To paraphrase Gibson, “Crypto security is available already, it just isn’t
equally distributed.”

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list