Security Corner

Jan 7 2009   3:35AM GMT

MD5 Hashing Algorithm No Longer Safe

Ken Harthun Ken Harthun Profile: Ken Harthun

Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.

Steve Gibson focused on this issue in his latest Security Now! podcast (#177). On the resource notes for the episode, Steve gives a link to the actual certificate with instructions on how to view it.

The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: