tgdaily.com — Netcraft provided more details on a critical digital certificate vulnerability revealed last week. Although Microsoft downplayed the problem by stating that the successful exploit was not published, Netcraft found that 14% of SSL certificates (135,000 total!) use the vulnerable MD5 hashing algorithm.
Jan 3, 2009 View in Crawl 4
Closed AccountJan 4, 2009
Not exactly related, but my university mail, google mail, blogger, and google reader's secure sites have all suddenly stopped working for me...
tightscrummyJan 4, 2009
Except when they gave a Microsoft cert to somebody unaffliated with Micorsoft. <a class="user" href="http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx">http://www.microsoft.com/technet/security/bulletin ...</a>Back then most browsers had revocation disabled too.
jesusjones128Jan 5, 2009
Alot of people seem to be missing the bigger picture. It's not a website specific thing, it's more of a browser issue if anything. The attackers could sign certificates as if they were one of the bigger CAs(Such as Thawte or Verisign), and there will be no complaints from the browser since most automatically accept those as being trusted. It's an easy fix really, just patch the browsers to warn on any hashed certs. The real problem would occur if someone ran a phishing site, it could look very legitimate with signed certs, couple that with DNS poisoning and it would be almost indistinguishable.
gabbagabbaheyJan 5, 2009
The better way would be to remove the flawed MD5 CA root certificates via a browser update.
gabbagabbaheyJan 5, 2009
Does anyone really think that anyone is going to check the hashing algorithm used for every SSL-enabled site they visit?
morcheebaJan 5, 2009
Why wouldn't they have a folding@home capability? There's no reason to limit the botnet to spam only - why not try anything that is profitable? Chances are that they've already got a self-updating feature that will upload new code, because this is useful for evading anti-virus programs and adding new infection vectors.
nabiyJan 5, 2009
no, you shouldn't check the hashing algorithm of every SSL-enabled site you visit. that wouldn't make sense. Just the ones you trust and rely on (like your bank).
ibell63Mar 9, 2009
I'm pretty sure the login uses SSL, why wouldn't it?