MD5 Hashing Algorithm No Longer Safe

Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.

Steve Gibson focused on this issue in his latest Security Now! podcast (#177). On the resource notes for the episode, Steve gives a link to the actual certificate with instructions on how to view it.

The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.