A
trans-Atlantic team of security researchers recently announced that
they had hacked a heavily used component of browser security. The team
was able to break into the Public Key
Infrastructure (PKI), which is used to issue digital certificates for secure
websites. The breach was accomplished by exploiting a weakness in the
MD5 cryptographic hash
function -- the function that allows the construction of different
messages with the same MD5
hash.
The technique could be used to mass produce forged certificates and undermine the "web of trust" that allows authenticated websites to receive sensitive information from users by allowing hackers to setup realistic mirror websites and large scale phishing operations. The mock attack exploited a known MD5 weakness -- one that had been frequently pointed out in past. While most authentication has moved away from the aging system, MD5 remains in use by roughly a quarter of certificates. With more and more businesses relying on web apps for traditional computing tasks, it is more important than ever to know how your company's information is being encrypted.
But sorry for the misleading title, as this page is exactly what you think it is. Peter Schooff's blog on ebizQ. You are right here. At least I think you are :)
The technique could be used to mass produce forged certificates and undermine the "web of trust" that allows authenticated websites to receive sensitive information from users by allowing hackers to setup realistic mirror websites and large scale phishing operations. The mock attack exploited a known MD5 weakness -- one that had been frequently pointed out in past. While most authentication has moved away from the aging system, MD5 remains in use by roughly a quarter of certificates. With more and more businesses relying on web apps for traditional computing tasks, it is more important than ever to know how your company's information is being encrypted.
But sorry for the misleading title, as this page is exactly what you think it is. Peter Schooff's blog on ebizQ. You are right here. At least I think you are :)
Leave a comment