Certification authorities respond to MD5 hack
Certification agencies have responded to work by a research group which demonstrated the lack of security of MD5 by faking a certificate that allowed them to issue further certificates with arbitrary identities. This was somewhat inevitable; MD5 was theoretically broken as long ago as 2004 and the method used for the collision attack has been known since 2007.
German certification authority TC Trustcenter is asserting that its placement on a list of CAs that still use MD5 is a little unjust. The organisation states that since 2007 "All certificates issued to its customers since that time use other hash procedures, such as SHA-1". It further notes that the only place it has continued to use MD5-based certificates is for a few of its own servers. This does indeed prevent the specific attack scenario, but it hardly seems likely to engender confidence among users. Trustcenter has at least started to replace these certificates.
In a blog entry, Verisign's Tim Callan reassures users that the problem has already been "resolved". He says that the company has been phasing out MD5 for a while and that most Verisign certificates no longer use MD5. The company has, according to Callan, now accelerated this process for RapidSSL and no longer uses MD5 for certification. Callan adds that the company has also confirmed that all other certificates that it sells are not vulnerable to this attack – whatever that means.
Callan does not, however, see any need to revoke or phase out certificates which use the non-secure MD5 procedure, since, he notes, the attack is not directed against existing certificates. They will, however, be offering customers the opportunity of replacing certificates, free of charge. The RapidSSL website almost ostentatiously continues, however, to use an MD5-signed certificate.
As with TC Trustcenter, Verisign's primary concern is its own customers, to whom the attack does not represent a direct threat. The risk presented by fake CAs primarily affects end users, who can now no longer be sure of whether, or not, a certificate is genuine and therefore whether, or not, an on-line purchase is genuinely safe. Neither Verisign nor TC Trustcenter have anything to say about how users can protect themselves from forged certificates, or how MD5 can be removed from the chain of trust as rapidly as possible.
US-CERT goes a little further, with an advisory stating:
Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners,
and users should avoid using the MD5 algorithm in any capacity.
As previous research has demonstrated, it should be considered
cryptographically broken and unsuitable for further use.
A background article on heise Security on the consequences of the successful attack on MD5 analyses the threat and looks at the meagre options available to users for protecting themselves from forged certificates.