{"id":62,"date":"2008-12-30T08:41:46","date_gmt":"2008-12-30T15:41:46","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=62"},"modified":"2008-12-30T12:18:50","modified_gmt":"2008-12-30T19:18:50","slug":"md5-weaknesses-could-lead-to-certificate-forgery","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/","title":{"rendered":"MD5 Weaknesses Could Lead to Certificate Forgery"},"content":{"rendered":"<p><strong>Issue<\/strong><\/p>\n<p>Researchers have recently found <a href=\"http:\/\/www.win.tue.nl\/hashclash\/rogue-ca\/\">weaknesses in the MD5 hash algorithm<\/a>, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don&#8217;t legitimately control.<\/p>\n<p><strong>Impact to users<\/strong><\/p>\n<p>If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.<\/p>\n<p><strong>Status<\/strong><\/p>\n<p>This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.<\/p>\n<p>Microsoft has <a href=\"http:\/\/www.microsoft.com\/technet\/security\/advisory\/961509.mspx\">released their own advisory<\/a> as well.<\/p>\n<p><strong>Credit<\/strong><\/p>\n<p>Alexander Sotirov, Marc Stevens, and Jacob Appelbaum presented this work at the 25th Chaos Communication Congress.<\/p>\n<p>Johnathan Nightingale<br \/>\nHuman Shield<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Issue Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/\">Read more<\/a><\/p>\n","protected":false},"author":107,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MD5 Weaknesses Could Lead to Certificate Forgery - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Johnathan Nightingale\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/\",\"name\":\"MD5 Weaknesses Could Lead to Certificate Forgery - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2008-12-30T15:41:46+00:00\",\"dateModified\":\"2008-12-30T19:18:50+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MD5 Weaknesses Could Lead to Certificate Forgery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\",\"name\":\"Johnathan Nightingale\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"caption\":\"Johnathan Nightingale\"},\"description\":\"Vice President of Firefox\",\"sameAs\":[\"http:\/\/blog.johnath.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MD5 Weaknesses Could Lead to Certificate Forgery - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/","twitter_misc":{"Written by":"Johnathan Nightingale","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/","url":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/","name":"MD5 Weaknesses Could Lead to Certificate Forgery - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2008-12-30T15:41:46+00:00","dateModified":"2008-12-30T19:18:50+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2008\/12\/30\/md5-weaknesses-could-lead-to-certificate-forgery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"MD5 Weaknesses Could Lead to Certificate Forgery"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d","name":"Johnathan Nightingale","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f","url":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","caption":"Johnathan Nightingale"},"description":"Vice President of Firefox","sameAs":["http:\/\/blog.johnath.com"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/62"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/107"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=62"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/62\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=62"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}