| |||||||||||||
25C3: MD5 collisions crack CA certificate (heise online)25C3: MD5 collisions crack CA certificate (heise online)Posted Dec 31, 2008 19:28 UTC (Wed) by flewellyn (subscriber, #5047)In reply to: 25C3: MD5 collisions crack CA certificate (heise online) by endecotp Parent article: 25C3: MD5 collisions crack CA certificate (heise online) According to the article, that might be problematic: The infrastructure of Certification Authorities is meant to prevent this kind of attack, but despite warnings, some root CAs are still using MD5, leaving people potentially exposed to the possibility of forged certificates. The team found the following CAs still using MD5; RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and verisign.co.jp. They collected 30,000 certificates and found 9,000 of them were signed with MD5 and of them, 97 per cent were issued by RapidSSL. Because of this and other attributes of RapidSSL's procedures, such as use of sequential serial numbers in issued certificates, the researchers examined RapidSSL's certificates in greater depth.
(Log in to post comments)
25C3: MD5 collisions crack CA certificate (heise online) Posted Dec 31, 2008 23:02 UTC (Wed) by jwb (guest, #15467) [Link]
It doesn't matter if it is "problematic" because the duty of Mozilla.org, Microsoft, Apple, et al, is to protect the users by only shipping the root certificates of compliant authorities. The browser vendors have no duty whatsoever to the holders of subordinate certificates.
It may be inconvenient for a few tens of thousands of certificate holders, but if they are really upset about it they can sue their CA.
|
|||||||||||||