At Tue, 30 Dec 2008 11:51:06 -0800 (PST), "Hal Finney" wrote: > Therefore the highest priority should be for the six bad CAs to change > their procedures, at least start using random serial numbers and move > rapidly to SHA1. As long as this happens before Eurocrypt or whenever > the results end up being published, the danger will have been averted. > This, I think, is the main message that should be communicated from this > important result.
VeriSign says that they have already fixed RapidSSL: https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php Q: How will VeriSign mitigate this problem? A: VeriSign has removed this vulnerability. As of shortly before this posting, the attack laid out this morning in Berlin cannot be successful against any RapidSSL certificate nor any other SSL Certificate that VeriSign sells under any brand. Q: Does that mean VeriSign has discontinued use of MD5? A: We have been in the process of phasing out the MD5 hashing algorithm for a long time now. MD5 is not in use in most VeriSign certificates for most applications, and until this morning our roadmap had us discontinuing the last use of MD5 in our customers' certificates before the end of January, 2009. Today's presentation showed how to combine MD5 collision attacks with some other clever bits of hacking to create a false certificate. We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009. Incidentally, I most of the CAs names in Slide 19 are VeriSign brands. In particular RapidSSL, RSA, Thawte, and Verisign.co.jp are and I believe that FreeSSL is as well. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
