Lots of fuss  was made about the paper presented at the Chaos Communication Congress in Berlin yesterday by Alexander Sotirov et al. The paper describes a proof-of-concept attack using a weakness in the MD5 cryptographic hash function to create a rogue Cerification Authority certificate using a hash collision (essentially, two messages with the same MD5 hash value). The promotion of the paper's title from “Making the theoretical possible” to “MD5 considered harmful today: Creating a rogue CA certificate” gives some idea of how seriously the issue is being taken. Not unreasonably, given the author's claim that "This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol."

Is it serious? Certainly. It's likely that there will be real-life attacks using similar techniques to impersonate secure websites. Perhaps the sanest summary I've seen to date is by Johannes Ullrich at the SANS Internet Storm Center (an excellent resource, by the way). Ullrich points out that the continuing use of a known weakness in MD5 by CAs poses a real problem that can't be fixed by changing your browser, for example. However, limiting the number of CAs you trust is likely to help, as will keeping an eye on vendor announcements. Here are some currently flagged on the ISC page.

Microsoft:
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx

Mozilla:
http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/

ISC intend to flag other vendor announcements as they find them.

David Harley 
Director of Malware Intelligence