Justin du Coeur (jducoeur) wrote,
Justin du Coeur

Weakness in some certificate authorities

Serious Internet geeks may want to take a look at this article in Ars Technica.

Summary: it's been known for a while that the MD5 hash algorithm is a bit weak. Some researchers have used this weakness to create a *really* horrible hack, allowing them to impersonate a major top-level Certificate Authority for cert-signing purposes. They're not saying exactly how the hack works, but the implication is that hackers (using this and other known techniques) could use this to more or less completely impersonate major secure sites, so that users would have no way of knowing that they're talking to a forgery. Very, very, *very* bad.

Moral of the story is that, if you're using MD5 for anything really important, it may be time to move on to better algorithms. With any luck, this will spur all the CAs to do so -- certainly, I would hope that any financial institution would be putting the thumbscrews on its CAs to do so quickly...
Tags: technology

  • First day of the next phase of my life

    Friday was formally my last day at Memento, but I count it as yesterday. Way back in March, I gave a sort-of four months' notice, saying that I would…

  • You know you're a true tea addict when...

    ... you finish your job and are packing your desk, and the tea selection on the back of your desk takes an entire moving box all by itself. (Yes,…

  • Resume rules

    Conducted an interview this morning; suffice it to say I wasn't blown away in general, but the worst of it was the resume, which was almost…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded