MD5 considered harmful today

Eric Rescorla ekr at
Tue Dec 30 20:02:35 EST 2008

At Tue, 30 Dec 2008 11:51:06 -0800 (PST),
"Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up being published, the danger will have been averted.
> This, I think, is the main message that should be communicated from this
> important result.

VeriSign says that they have already fixed RapidSSL:

   Q: How will VeriSign mitigate this problem?
   A: VeriSign has removed this vulnerability. As of shortly before this
   posting, the attack laid out this morning in Berlin cannot be
   successful against any RapidSSL certificate nor any other SSL
   Certificate that VeriSign sells under any brand.
   Q: Does that mean VeriSign has discontinued use of MD5?
   A: We have been in the process of phasing out the MD5 hashing
   algorithm for a long time now. MD5 is not in use in most VeriSign
   certificates for most applications, and until this morning our roadmap
   had us discontinuing the last use of MD5 in our customers'
   certificates before the end of January, 2009. Today's presentation
   showed how to combine MD5 collision attacks with some other clever
   bits of hacking to create a false certificate. We have discontinued
   using MD5 when we issue RapidSSL certificates, and we've confirmed
   that all other SSL Certificates we sell are not vulnerable to this
   attack. We'll continue on our path to discontinue MD5 in all end
   entity certificates by the end of January, 2009.

Incidentally, I most of the CAs names in Slide 19 are VeriSign
brands. In particular RapidSSL, RSA, Thawte, and are
and I believe that FreeSSL is as well.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list