Network Lighthouse

For a while now, it’s been known that the md5 hashing algorithm is susceptible to collisions, reducing the level of security it provides, although predominately in only a theoretical manner.

Now some enterprising researchers have used this vulnerability (along with 200 ps3′s) to create a fake certificate authority, ensentially allowing them to create certificates for any name that browsers will trust implicitly.

Schneier on Security: Forging SSL Certificates.

There are a couple of factors that mean the internet isn’t ‘broken’ by this:

• By itself it’s not particularly useful to have a certificate for “example.com”, I also need to convince someone that “example.com” is at my ip address. (Some of the recent dns vulnerabilities could be used for this)
• Most CA’s don’t use MD5 anymore, those that do are moving to more secure algorithms.

One comment that Bruce made in his blog (linked above) that I disagree with is about people ignoring SSL warning messages, I have never (and make sure my family and colleagues do the same) ignored SSL warnings,  they are there for a reason and I make sure if I see one I understand why I am seeing it before doing anything I wouldn’t want to be compromised.  I strongly recommend that SSL warnings (like all security messages) seriously.

-Daniel