Monday, January 5, 2009

MD5 is not good for CA

Bruce Schneier in his book Secrets and Lies wrote how his friend at NSA define CA: Someone whom you know can violate your security policy without getting caught

Well, now it has been proved that it is possible to spoof certificate, as if was signed by trusted CA.

Interesting presentation that shows exploiting the weakness of MD5, they can create a rouge CA certificate.

Moral of the story: dont use MD5 to sign certificate.

UPDATE: you can block HTTPS session that use SSL certificates signed with MD5 hash using IPS.
UPDATE2: there is a firefox plugin to block MD5 signed certificates



Post a Comment

<< Home