A new paper outlines how it's possible to use MD5 collisions to spoof a legitimate certificate authority's (CA) certificate, which means someone could spoof the security of nearly any site - even banks.
The basic problem is that two different blocks of data could have the exact same MD5 hash sum. That of course means that you can't totally rely on the MD5 algorithm to provide an adequate check and balance. Unfortunately some CA's still use MD5 to sign certificates - that's one of those "Really Bad Things ™" that we hear about now and then.
Some of the offending CA's include (surprisingly) RSA Data Security, Verisign (Japan), Thawte, FreeSSL, Rapid SSL, and TC TrustCenter AG (Germany).
In their whitepaper, researchers Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger said that they collected roughly 30,000 certificates from around the Internet and of those approximately 9000 were signed using MD5. Wow. That's a high percentage.
Of course Microsoft published an advisory saying that they "no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm," which is good.
But Microsoft's related advisory also says that "this new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information."
For those of you that aren't already ROFL at Microsoft's downplay of the risk, don't believe them. We've seen time and time again how once tipped off to a vulnerability savvy hackers can craft their own exploit code in short order.
If you have SSL certs issued for use on your own sites then view the certificates details to inspect the associated signature algorithm (you can use your Web browser to do that). If it was signed using MD5 then you should ask the issuing agent to re-issue the cert using a more secure signing algorithm such as SHA-1, if not something much stronger.
