Posted by: Ken Harthun
Cryptography, hashing algorithm, MD5, Security, SHA1, Vulnerabilities
Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.
The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.