Security Featured Article

VeriSign, Inc. has announced it is in the process of switching to the SHA-1 Algorithm on new RapidSSL certificates. This is due to a flaw in the MD5 which makes it ineffective for new RapidSSL certificates. Along with the transition, VeriSign (News - Alert) has also pledged to freely re-issue RapidSSL Certificates on the SHA-1 Algorithm to customers who are looking for an upgrade.

 

According to Chris Babel, SVP and general manager at VeriSign, the company is taking such security issues seriously and working quickly to remedy the vulnerabilities that could affect online security.

 

VeriSign provides Internet infrastructure services such as SSL, identity and authentication and domain name services. The global registries, data centers and networks of the company provide the security, scalability and reliability to support digital interactions. 

 

In view of the MD5 exploit, VeriSign has temporarily suspended its normal replacement fees for replacement of certificates. This will enable existing RapidSSL customers to replace their certificates with RapidSSL SHA-1 certificates for free. The company is currently on the path of discontinuing the use of MD5 hashing algorithm in all its end entity certificates by the end of January, 2009 and has already discontinued the use of the flawed MD5 cryptographic function used for digital signatures while issuing RapidSSL certificates.

 

Security researchers from the U.S., the Netherlands and Switzerland presented the flaw in the MD5 cryptographic hash function at the Chaos Communication Congress in Berlin. The researchers made use of a weakness in the MD5 hash function which allows the construction of different messages with the same MD5 hash. An MD5 collision attack which could create a new, false certificate from scratch was demonstrated by these researchers. Such a collision attack which makes use of computing power to create a false SSL Certificate using the RapidSSL certificate brand would require new certificates to be issued. However, existing certificates could not be targeted with such an attack.

 

The certificates that are being used by banks, brokerages, and SSL-using entities will not be affected. This is because the MD5 exploit cannot impact the certificates that are already in production which also includes previously issued RapidSSL Certificates and other VeriSign brand certificates.