Verisign/RapidSSL close 25C3 MD5 vulnerability

In a Verisign blog, Tim Callan has detailed Verisign's response to the MD5 Collision CA Certificate crack presented at the 25th Chaos Communication Congress (25C3). Verisign's RapidSSL came in for particular attention in the presentation as vulnerabilities in the way it generated certificates allowed the researchers to predict the serial number of a certificate that would be generated in the near future. Callan confirmed that after a preliminary viewing, the presentation was accurate and stated that the vulnerability in the certificate generation was closed "shortly before this posting".

Verisign are in the process of discontinuing the use of MD5 hashes for signing, saying it had been planning to stop use of MD5 in customer certificates by the end of January 2009. It has, as of now, discontinued the use of MD5 for RapidSSL certificates and plans to end MD5 usage completely by the end of January.

Although the attack demonstrated did not affect existing MD5 signed certificates, Verisign is allowing customers to replace any MD5 hashed certificates free of charge and is, until further notice, suspending replacement fees for MD5 signed certificates. It is not requiring the replacement of certificates as it did during the Debian OpenSSL disaster.

The researchers noted that they had taken a number of measures to prevent legal action being brought by a certificate authority in the presentation, for fear of having their investigations shut down. Callan countered that saying "Security researchers who behave ethically have no reason to fear legal action from VeriSign" before going on to note Verisign's disappointment that the researchers did not share their results with the company earlier.

(djwm)