MD5 is known to be a weak hashing algorithms for many years. Thus, it was vanishing from the scope. The scope was more on attacking SHA family. Nevertheless, researchers (Alex Sotirov, Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David Molnar) have brightly combined three weaknesses: MD5 collision, the fact the some certification Authorities (CA) still use MD5 to sign SSL certificates, and that browsers poorly manage root certificates. They presented their attack at Chaos Computer Club conference.

The researchers asked a legitimate CA to sign with MD5 a legitimate SSL certificate. Then they forged a root key using the same signature. Bingo! They could now generate and sign “legitimate” SSL certificates.

Is it dangerous? Not really. First of all, the majority CAs are not anymore using MD5. The attack does not work on certificates that were already issued. In other words, when receiving new certificates signed with MD5 (normally very few) be cautious with the issuing date. You can still trust SSL. :Wink:

The cure is extremely simple. No CA should anymore use MD5 to sign certificates. The CA that signed the certificate used for the demonstration announced that it will soon get rid of MD5 :Happy:

Although not lethal attack, the work of the researchers is a an extremely nice and smart attack. The attack will be detailed in Security newsletter #12