Issue
Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.
Impact to users
If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.
Status
This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.
Microsoft has released their own advisory as well.
Credit
Alexander Sotirov, Marc Stevens, and Jacob Appelbaum presented this work at the 25th Chaos Communication Congress.
Johnathan Nightingale
Human Shield
Phil
wrote on
Jeff Muizelaar
wrote on
Robert C. Sheets
wrote on
Michael
wrote on
Sitaram
wrote on
S Miller
wrote on
wombat
wrote on
John
wrote on
Nick Mathewson
wrote on
Gary Covington
wrote on
Steven
wrote on
Kasper
wrote on
Tom K
wrote on
David Mentré
wrote on
pakman
wrote on
Johnathan Nightingale
wrote on
Wanda R
wrote on
event security
wrote on
WEB Consultant
wrote on