# md5 is not secure anymore

## alien

Don't know if anybody has posted this yet. You can't trust md5 sums anymore. 

http://www.kb.cert.org/vuls/id/836068

----------

## jmz2

 *alien wrote:*   

> Don't know if anybody has posted this yet. You can't trust md5 sums anymore. 
> 
> http://www.kb.cert.org/vuls/id/836068

 

MD5 collisions are old news. So are SHA1 collisions. Both algorithms are still good for non-cryptographic operations, like checking file integrity.

----------

## timeBandit

 *jmz2 wrote:*   

> MD5 collisions are old news.

 You might want to actually read the advisory. This is based on new research publicized last week.

 *Sotirov, Stevens, et al. wrote:*   

> As a proof of concept we ... created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. [emphasis added]

 Not good. Doubleplus ungood, even.

----------

## jmz2

 *timeBandit wrote:*   

>  *jmz2 wrote:*   MD5 collisions are old news. You might want to actually read the advisory. This is based on new research publicized last week.
> 
>  *Sotirov, Stevens, et al. wrote:*   As a proof of concept we ... created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. [emphasis added] Not good. Doubleplus ungood, even.

 

There's nothing new in that, something I tried to say in my first post.  (emphasis mine): *Sotirov, Stevens, et al. wrote:*   

> Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.

 

----------

## timeBandit

Yes, there is something new. Again citing the article (emphasis added): *Quote:*   

> Previous work on MD5 collisions [described] theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

 This announcement raises the severity of the weakness(es) because it proves a real-world attack is possible right now. The practical attack described is basically undetectable to the average user. The only permanent fix--which is, agreed, not new--is to revoke MD5-signed CA certificates and replace them. Apparently (judging by remarks in the article), some CAs have been slow to do that.

As a result of this announcement, in the near fuiture I'd expect a flurry of updates to browsers, Windows, OpenSSL, etc.--anything that bundles CA root certs--as new root certificates are published, in an attempt to finally purge MD5-signed certs from the wild. It's gone from "yeah, we need to take care of that" to "I guess we'd better fix this now."

----------

## Hu

 *timeBandit wrote:*   

> The only permanent fix--which is, agreed, not new--is to revoke MD5-signed CA certificates and replace them. Apparently (judging by remarks in the article), some CAs have been slow to do that.
> 
> As a result of this announcement, in the near fuiture I'd expect a flurry of updates to browsers, Windows, OpenSSL, etc.--anything that bundles CA root certs--as new root certificates are published, in an attempt to finally purge MD5-signed certs from the wild. It's gone from "yeah, we need to take care of that" to "I guess we'd better fix this now."

 

Unfortunately, that is not the correct mitigation.  The CA that they exploited is a self-signed certificate using SHA1, not MD5.  The flaw is that the CA granted a signature using MD5, so they were able to use an MD5 collision to paste the CA signature onto their rogue CA certificate.  The mitigation is to consider any certificate using a signed MD5 digest as suspect.  That is more work, since it requires that applications look for MD5 digests and disallow them, rather than simply purging any CA certificate that uses an MD5 digest.

----------

