Issue
Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.
Impact to users
If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.
Status
This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.
Microsoft has released their own advisory as well.
Credit
Alexander Sotirov, Marc Stevens, and Jacob Appelbaum presented this work at the 25th Chaos Communication Congress.
Johnathan Nightingale
Human Shield
Phil wrote on
Jeff Muizelaar wrote on
Robert C. Sheets wrote on
Michael wrote on
Sitaram wrote on
S Miller wrote on
wombat wrote on
John wrote on
Nick Mathewson wrote on
Gary Covington wrote on
Steven wrote on
Kasper wrote on
Tom K wrote on
David Mentré wrote on
pakman wrote on
Johnathan Nightingale wrote on
Wanda R wrote on
event security wrote on
WEB Consultant wrote on