14% of SSL certificates use MD5

Advertisement (Why?)

As reported last week, about the possible MD5 SSL certificate bring broken, a recent survey was taken that shows 14% of the world still uses the MD5 algorithm to secure their SSL certificates.

The attack allows hackers to create a fake MD5-signed certificate, alongside the existing one, creating a fake certificate. The attack was discovered by researchers, who have not released the method of attack to the public, but warns of a possible incoming attack if discovered.

Roughly 135,000 valid third party certificates use the MD5 signatures, on public web sites, which could allow hackers to inject their own data to the SSL certificate. Verisign (owners of RapidSSL) have stated since the attack vulnerability, they will phase out using the MD5-signing and move to the safer SHA-1 signature by the end of January 2009. VeriSign is also offering a free replacement of existing SSL certificates to be replaced if requested using the more advanced SHA-a signature.

Once the growing number of users have switched over from the MD5 signature, it will be likely that the attack will be neutralized, or possibly non-existent. Browsers may possibly get an update that could help caution users when entering a web site that uses an MD5 signature on their SSL certificate, raising awareness, and forcing site owners to upgrade.

#1 +tunafish on 04 Jan 2009 - 19:19

I still dont understand why some people still use MD5, has it not been attacked before for passwords etc

#2 WAR-DOG on 04 Jan 2009 - 19:48

If I recall that news few days ago they did break the code with few PS3 units connected together, so it's fairly hard to reproduce the procedure.
And yes, MD5 was the target of many attacks in the past, but noone really cares what algorithm their SSL uses, because they generaly think, that if they use SSL that's about it as far safety goes.

(3 replies) #3 Aeden on 04 Jan 2009 - 20:01

"vurnelable" in the front-page image.

#3.1 Marshalus on 04 Jan 2009 - 20:36

Aeden said,

I think my fingers have been broken this weekend.

#3.2 Aeden on 04 Jan 2009 - 20:50

Marshalus said,

No problem, just wanted to let you know. I've definitely enjoyed the uptick of news postings of late.

#3.3 lylesback2 on 04 Jan 2009 - 22:12

Thanks. We have been pushing to keep the flow of articles coming, and not to make this a few month thing, but to keep the pressure on us news staff to keep the articles flowing.

Thanks again

(3 replies) #4 portauthority on 04 Jan 2009 - 22:51

don't files have md5 signatures? so if that can be spoofed .. not good!

#4.1 lylesback2 on 04 Jan 2009 - 22:55

portauthority said,

Yeah that was mentioned in the previous discussion.. not too sure, but I think this is an isolated incident to SSL signatures

#4.2 war on 05 Jan 2009 - 03:08

lylesback2 said,

Seem that is correct to day, as in only certs are cracked. But how long that will remain true is only a matter of time. Sadly, I bet md5 signatures too will go the way of the dino within 6 months.

#4.3 Majesticmerc on 05 Jan 2009 - 04:27

Surely MD5 is MD5? If it's not the same, it's not the MD5 hashgorithm.

#5 neoraptor on 05 Jan 2009 - 09:21

Both md5 and sha1 are hashing algorithms, however md5 is more vulnerable to collisions. With GPUs used for generating hashes one can generate sha1 with the same ease (well a magnitude slower)

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net