MD5 Broken? That's Not News

Everyone is all a-twitter about the demo at the CCC congress, where a forged SSL certificate was created. The sky is falling! The sky is falling!

Except it's not.

Security experts have known for almost ten years that MD5 was broken - there was some good discussion back and forth for a time about this - and about five years ago, even the naysayers finally relented and admitted that MD5 as a crypto solution had seen its last days.

Of course, that didn't stop some firms from continuing to use MD5 with their CAs, and those are the people squawking now, because they are vulnerable to attack.

Quite a few Certificate Authorities moved off of MD5 some time ago in favor of the more secure SHA-1 algorithm, and regular Red Gecko readers will recall that I wrote about the ongoing competition to replace SHA-1 with SHA-3 in my post Round One Candidates for SHA-3. Nothing is unbreakable, so we're always looking for the next secure thing. Since SHA-2 shares some of the same weaknesses as SHA-1, adoption of SHA-3 can't come quickly enough.

I won't go into the technical details of the collisions or how they make use of inherent MD5 flaws to allow this whole silly thing to take place. If hardcore cryptography rocks your world, you can check out the gory details at this site.

I'm guessing there will be some sort of fix issued, but the better plan is to move off of MD5. It will be interesting to see how certification revocation is handled by the impacted organizations, and to watch for any production outages that might occur due to certificate invalidation or problems with the issuance of the replacement certs.

You'll hear a lot about this in the days ahead, but it's really a bit overblown. Play it safe and check for MD5 in your environment, then get on with your life. If you can't get off of MD5 in your CA, look into some of the workarounds to protect your certificate infrastructure until you can, such as adding a sufficient amount of randomness to the certificate fields, or to make active use of the "pathlength" parameter in the "basic constraints" field. Not perfect solutions, to be sure.

Expect browser developers to consider implementing some sort of pop-up to alert users that the site they are visiting has an MD5-based certificate, but the majority of users will find this to be meaningless gibberish. It's really going to be up to the site owners to do a better job of implementing their certificates while insisting that CAs being using strong cryptography, preferably SHA-2.