Microsoft released a bulletin on it yesterday http://www.microsoft.com/technet/security/advisory/961509.mspx
Of note: Mitigating Factors: * Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. * Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance. * When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Sam Cayze [mailto:[email protected]] Sent: Wednesday, December 31, 2008 7:56 AM To: NT System Admin Issues Subject: Hackers create rogue CA certificate using MD5 collisions This doesn't sound too good... http://blogs.zdnet.com/security/?p=2339 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
