Wednesday, December 31, 2008

SSL Certificates Hacked

Here's an article about hackers breaking SSL. In fact they found a way to spoof a secure site so it looks like a particular site you are going to is sending your data encrypted across the Internet when it is not. The hack applies to certificate authorities that use the MD5 algorithm such as Verisign's RapidSSL.

Hackers Break SSL

Additionally the article points out that the hack is in SSL certificates using MD5. As the end of the article states:

"It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard."

I did some reasearch to find out which CAs are using MD5 encryption instead of SHA and found that this particular hack was targeted at VeriSign's RapidSSL.com:

MD5 SSL hack analysis

I was able to confirm that Network Solutions does not use MD5 encryption.

Microsoft claims this hack poses no major threat to users
Microsoft says SSL MD5 hack poses no real threat