Computer security
VeriSign's RapidSSL certificates have now been transitioned to the SHA-1 algorithm

VeriSign addresses SSL certificate flaw

Firm replaces hashing function after security alert

Phil Muncaster

VeriSign has moved to address a flaw in its Secure Sockets Layer (SSL) certification technology, which could have allowed hackers to create false certificates.

SSL certificates are one of the most common ways for firms to prove that their web sites are secure and authentic. By creating false certificates, hackers could deter online shoppers and possibly undermine consumer faith in e-commerce.

Advertisement

The so-called 'collision attack' flaw, first published by researchers at the Chaos Communication Congress last week, was aimed at the MD5 hashing algorithm of certificates issued by the RapidSSL authority, according to VeriSign.

"This presentation showed how to combine MD5 collision attacks with some other clever bits of hacking to create a false certificate," Tim Callan, VeriSign's vice president of SSL product marketing, said in a blog posting.

"We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL certificates we sell are not vulnerable to this attack."

VeriSign has now transitioned to the SHA-1 algorithm on new RapidSSL brand certificates, and said that it will replace MD5 certificates for existing customers free of charge.

Callan added that the company aims to discontinue MD5 in "all end entity certificates" by the end of this month.

Matthew Tyler, director of consultancy firm Evolution Security Systems, explained that the MD5 flaw highlights why certificate authorities must "keep up to speed" with the latest security threats.

"As computing power increases there is a need to keep algorithms in pace with this change. MD5 was created over 18 years ago and had issues even before it went live in 1996 over 12 years ago," he said.

"MD5 is an old and debunked hashing algorithm and should have been phased out by the slightly more secure SHA-1/2, with SHA-3 due for 2012."

Extended Validation SSL Certificates, which VeriSign has been promoting vigorously since their launch in late 2006, are not affected by the flaw.

  • Have your say
  • Send to a friend
  • Print
  • Digg
  • Reddit
  • Share

Do you agree?

Further reading

mouse

Internet attacks expected to hit a high today

PC Tools research warns retailers and online shoppers to be prepared for peak in attacks

Online shopping

VeriSign launches web shopping security guide

Security firm seeks to promote e-commerce while minimising the risks

Legislators under fire over heavy-handed security rules

Firms being forced to spend unnecessarily on perceived IT security risks, say experts at RSA show

VeriSign touts virtues of security 'green bar'

Extended Validation authentication programme ups site trust, claims company

Related whitepapers

Related jobs

Most watched

iPhone

Video Review: iPhone 3GS

We put Apple's latest iPhone through its paces

V3.co.uk weekly debrief, 5 Feb 2010

This week we cover the continuing controversy surrounding the Orange T-Mobile deal

Analysis and Reports

Using managed services to protect mobile data users from the latest security threats

Counting the cost of data security: the benefits of secured mobile services

Shifting Disaster Recovery targets with SharePoint and SQL server configurations

Using a hostbased recovery system for mission-critical systems

Poll

Adobe Flash poll

Adobe Flash poll

Do you agree with Steve Jobs about Flash being buggy?

View poll results

Advertisement

White paper library

Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Advertisement

Spotlight

Windows 7

Microsoft denies Windows 7 battery problems

Replacement warning functioning normally, claims software giant

Safer Internet Day

Safer Internet Day highlights online threats

Annual initiative warns of phishing, ID theft and social network...

AMD Fusion

AMD details Fusion innovations at ISSCC

Forthcoming chip with four CPU and one GPU cores will...

MSI Wind U135

Review: MSI Wind U135 netbook

A decent netbook incorporating the latest Intel technology in a...

Primary Navigation