VeriSign drops vulnerable certificate algorithm

The provider of Internet trust assurances said it was transitioning from MD5 to the SHA-1 algorithm for its new RapidSSL brand certificates. It also pledged to reissue any RapidSSL certificates created with MD5, using SHA-1.

Earlier this week, several teams of researchers presented research at the Chaos Communication Congress in Berlin about MD5 problems.

The researchers included independent ones from California, as well as teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and the Ecole Polytechnique Federal de Lausanne in Switzerland.

The researchers were able to generate two messages with one digital signature, using MD5. Digital certificates are supposed to have unique signatures. Four years ago, Chinese researchers first identified the vulnerability when they created a similar collision attack.

Researchers had estimated it would take more than 30 years of computer processing to generate such a fake certificate.

But the paper presented in Berlin showed there are more efficient ways. Using more than 200 Sony PlayStation 3 video-game machines in a cluster, the latest research effort was able to generate two fake messages with the same digital signature in only three days.

Observers had differing opinions on the impact of the research. The head of computer security at British Telecom, for instance, told news media that most people don't rely on digital certificates anyway.

But many others suggested the impact could be enormous. Although only some sites are using the older digital certificates, all browsers accept them.

When visiting Web sites, a locked padlock in a browser corner is intended to indicate to the user that the site uses digital certificates issued by one of several trusted certificate authorities, such as VeriSign.

(Source: NewsFactor)

Technorati Tags: ,,

Related Posts by Categories

Widget by Hoctro

Enter your email address:

Delivered by FeedBurner


Source Code