14% of SSL certificates use MD5

As reported last week, about the possible MD5 SSL certificate bring broken, a recent survey was taken that shows 14% of the world still uses the MD5 algorithm to secure their SSL certificates.

The attack allows hackers to create a fake MD5-signed certificate, alongside the existing one, creating a fake certificate. The attack was discovered by researchers, who have not released the method of attack to the public, but warns of a possible incoming attack if discovered.

Roughly 135,000 valid third party certificates use the MD5 signatures, on public web sites, which could allow hackers to inject their own data to the SSL certificate. Verisign (owners of RapidSSL) have stated since the attack vulnerability, they will phase out using the MD5-signing and move to the safer SHA-1 signature by the end of January 2009. VeriSign is also offering a free replacement of existing SSL certificates to be replaced if requested using the more advanced SHA-a signature.

Once the growing number of users have switched over from the MD5 signature, it will be likely that the attack will be neutralized, or possibly non-existent. Browsers may possibly get an update that could help caution users when entering a web site that uses an MD5 signature on their SSL certificate, raising awareness, and forcing site owners to upgrade.

Report a problem with article
Previous Story

Neowin's Microsoft CES 2009 predictions

Next Story

Media Protector to hunt porn pirates

10 Comments

If I recall that news few days ago they did break the code with few PS3 units connected together, so it's fairly hard to reproduce the procedure.
And yes, MD5 was the target of many attacks in the past, but noone really cares what algorithm their SSL uses, because they generaly think, that if they use SSL that's about it as far safety goes.

Marshalus said,
I think my fingers have been broken this weekend.

:P No problem, just wanted to let you know. I've definitely enjoyed the uptick of news postings of late.

Aeden said,
:P No problem, just wanted to let you know. I've definitely enjoyed the uptick of news postings of late.

Thanks. We have been pushing to keep the flow of articles coming, and not to make this a few month thing, but to keep the pressure on us news staff to keep the articles flowing.

Thanks again

portauthority said,
don't files have md5 signatures? so if that can be spoofed .. not good!

Yeah that was mentioned in the previous discussion.. not too sure, but I think this is an isolated incident to SSL signatures

lylesback2 said,
Yeah that was mentioned in the previous discussion.. not too sure, but I think this is an isolated incident to SSL signatures
Seem that is correct to day, as in only certs are cracked. But how long that will remain true is only a matter of time. Sadly, I bet md5 signatures too will go the way of the dino within 6 months.

Both md5 and sha1 are hashing algorithms, however md5 is more vulnerable to collisions. With GPUs used for generating hashes one can generate sha1 with the same ease (well a magnitude slower)

Commenting is disabled on this article.