The newly discovered vulnerability in using MD5 signatures for SSL certificates has many people wondering about the security of their web sites and the security of other sites they visit on the Internet. Essentially, the vulnerability could allow an attacker to get an SSL certificate from a certificate authority that signs its certificates with MD5, and then engineer another certificate with completely different information in the certificate. In combination with other attacks (such as a DNS vulnerability like the one that was recently discovered by Dan Kaminsky), an attacker could spoof any website on the Internet (although sites with EV Certificates would be much more difficult if people are looking for the green bar).

Because of this, many people are avoiding sites that use an SSL certificate with an MD5 signature. The SSL Blacklist plugin for Firefox has even been updated to look for MD5 signatures. An article published by Netcraft reveals that about 14% of SSL Certificates in use on the Internet use the vulnerable MD5 Algorithm:

Netcraft's December 2008 SSL Survey found 135,000 valid third party certificates using MD5 signatures on public web sites, which is around 14% of the total number of valid SSL certificates in use.The great majority consist of certificates from RapidSSL (shown as Equifax on the certiifcate). As of Netcraft's December survey, all of the 128,000 RapidSSL certificates in use on public sites were signed with MD5; there are some much smaller CAs that use MD5 still, and there are a small number of certificates from Thawte and VeriSign, although most of their certificates are signed with the more secure SHA1. Other CAs use only SHA1. Verisign (owners of RapidSSL since 2006) have stated that they have stopped using MD5-signing for RapidSSL certificates, and will have phased out MD5-signing across all their certificate products by the end of January 2009. Other affected CAs are likely to follow suit, as SHA1 is well established and is already in use for the majority of SSL certificate signing, so it should be simple to switch to using this more secure alternative. Once it is impossible to obtain new certificates signed with MD5, this attack will be neutralised. The attack requires a collision between newly created certificates — one valid and one fake — deliberately created by the attacker. As such, there is no particular risk to existing SSL certificates signed with MD5, and they do not need to be replaced. VeriSign are nevertheless offering free replacements for customers that want them; and it is possible that browsers will start to distinguish certificates signed with MD5 so that users can exercise caution, as CERT have issued a vulnerability note suggesting that users could check for this manually.

Even though this vulnerability doesn't directly affect sites with certificates that use MD5 signatures, it is recommended that you replace any certificates on your sites that use MD5 with certificates that use more secure algorithms (such as SHA-1). You can check whether a certificate on your site uses an MD5 signature by entering the site name where your SSL certificate is installed below. Our SSL Checker will display the signature algorithm of each certificate in the chain and warn you if one of them is using MD5.

Check a Site for MD5 Certificates

Server Hostname: (e.g. www.google.com) Check SSL

Originally posted on Sun Jan 4, 2009

