As reported last week, about the possible MD5 SSL certificate bring broken, a recent survey was taken that shows 14% of the world still uses the MD5 algorithm to secure their SSL certificates.
The attack allows hackers to create a fake MD5-signed certificate, alongside the existing one, creating a fake certificate. The attack was discovered by researchers, who have not released the method of attack to the public, but warns of a possible incoming attack if discovered.
Roughly 135,000 valid third party certificates use the MD5 signatures, on public web sites, which could allow hackers to inject their own data to the SSL certificate. Verisign (owners of RapidSSL) have stated since the attack vulnerability, they will phase out using the MD5-signing and move to the safer SHA-1 signature by the end of January 2009. VeriSign is also offering a free replacement of existing SSL certificates to be replaced if requested using the more advanced SHA-a signature.
Once the growing number of users have switched over from the MD5 signature, it will be likely that the attack will be neutralized, or possibly non-existent. Browsers may possibly get an update that could help caution users when entering a web site that uses an MD5 signature on their SSL certificate, raising awareness, and forcing site owners to upgrade.
10 Comments - Add comment