MD5 considered harmful today
ekr at networkresonance.com
Tue Dec 30 20:02:35 EST 2008
At Tue, 30 Dec 2008 11:51:06 -0800 (PST),
"Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up being published, the danger will have been averted.
> This, I think, is the main message that should be communicated from this
> important result.
VeriSign says that they have already fixed RapidSSL:
Q: How will VeriSign mitigate this problem?
A: VeriSign has removed this vulnerability. As of shortly before this
posting, the attack laid out this morning in Berlin cannot be
successful against any RapidSSL certificate nor any other SSL
Certificate that VeriSign sells under any brand.
Q: Does that mean VeriSign has discontinued use of MD5?
A: We have been in the process of phasing out the MD5 hashing
algorithm for a long time now. MD5 is not in use in most VeriSign
certificates for most applications, and until this morning our roadmap
had us discontinuing the last use of MD5 in our customers'
certificates before the end of January, 2009. Today's presentation
showed how to combine MD5 collision attacks with some other clever
bits of hacking to create a false certificate. We have discontinued
using MD5 when we issue RapidSSL certificates, and we've confirmed
that all other SSL Certificates we sell are not vulnerable to this
attack. We'll continue on our path to discontinue MD5 in all end
entity certificates by the end of January, 2009.
Incidentally, I most of the CAs names in Slide 19 are VeriSign
brands. In particular RapidSSL, RSA, Thawte, and Verisign.co.jp are
and I believe that FreeSSL is as well.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography