Home » In Other News

Today’s Microsoft Advisory

Posted 30 Dec 2008 | Comments Off on Today’s Microsoft Advisory | 1,179 views

Today, Microsoft released security advisory 961501regarding SSL certificates that have MD5 signatures. This advisory comes on the heals of the same day announcement that MD5 signatures are unsafe. While the Microsoft advisory states that they are not aware of specific attacks against MD5, the CCC announcement clearly gives a history where MD5 hash are proven to be vulnerable to hash collisions. The attack was completed using approximately 200 PS3s (yes Sony PlayStations).

What can be done to prevent against the attack? Unfortunately, there’s not much that can be done to defend against it. Creating a rogue CA or certificate is not an attack against a specific website or server. It’s an attack against the CA itself. The best advice that we can give is to use a CA that generates SHA1 signatures, and warn your customers to avoid MD5 signed certs for your site. Of course, just warning your customers may cause them to panic. Not all SSL certificates with MD5 signatures are fakes, but they are suspect.

Comments are closed.