> So - what to do? Well, I suspect most major CA's will regenerate their > certificates authority keys with SHA keys instead of MD5. But it could > be quite some time before sites re-issue their certs based on SHA.
If they don't voluntarily do it timely, they need to be pressured. > I am also going to investigate configuring my Firefox browser to not > accept MD5 keys for SSL, and require SHA keys only - this is a huge > impracticality since many SSL sites are still on MD5. But, at least I > would know not to disable that check while using a public internet > connection - only go to sites with an MD5-based cert while I'm on my > home connection or something. May I assume you will send a HOWTO to the group upon success? TIA. Another equally-disruptive approach is to delete the certificate bundle from the browser config, and accept certs one by one only upon your own trust criteria (hmm, maybe a much worse timesink). I wonder how similar the situation is for Automatic Teller Machines. Hopefully software repositories/projects will take notice and provide at least SHA1 checksums, if not SHA2 checksum and/or GPG signature, not merely MD5 checksums. Related article about status of MD5: http://www.win.tue.nl/hashclash/Nostradamus/ /Randall
