Wednesday, December 31, 2008

the MD5/rogue certificate attack

i'm not going to bother pointing to all the many good stories out there describing the details of how a valid ssl certificate was faked by mounting a 2nd preimage attack on the MD5 hash using a legitimately purchased certificate as the starting point...

i'm just going to point out that, while some people think MD5 was broken in 2004, the fact of the matter is it's use in new systems was deprecated back in 1995, and existing systems should have been moving away from it with all possible haste...

apparently there are ways to make this specific attack impossible without even changing the hash algorithm used (essentially salting the message) and that's certainly a good idea - but still there's no good reason for anything to be using MD5 at this stage of the game... there's been enough time for any legacy system that used it to have been reworked or replaced, and while we should probably start moving away from SHA1 as well (at least to SHA256 until the new SHA3 standard is selected), we should all have moved away from MD5 by now and if you haven't then shame on you...

0 comments: