Researchers successfully exploited a known “bug” with the MD5 hash algorithm to create duplicate SSL certificates.
As you know, when you want to show your site visitors that their transaction is safe with you, you purchase an SSL certificate. That certificate is registered to your domain and proves you are who you say you are.
So, no other site can “prove” they are you because there is only one valid SSL certificate for your domain and you own it.
With this latest breakthrough, phishers can create bogus websites and duplicate your SSL certificate. It’s like having the same DNA between 2 or more people.
The really interesting part of this announcement is that the researchers used over 200 Sony Playstations to crack the encryption. That’s right. Sony Playstations.
Reportedly, the Playstation 3’s cell processor is quite handy with cryptographic calculations and therefore was a natural for this experiment.
Keep in mind that this was not found “in the wild”. It was conducted by researchers in a lab, however, if they can produce it, I’m sure the cybercriminals won’t be far behind.
What can you do to protect yourself and more importantly your customers?
Be sure your SSL certificate was created with SHA-1 hashing rather than the MD5 hash found vulnerable in this situation. I have read that VeriSign has just now changed their cryptographic hashing from MD5 to SHA-1 but I’m not sure if that is only for new certificates issued from this point forward or if you’re able to update yours.
Some of the CA’s (Certificate Authorities) still using MD5 hashing include: RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and Verisign.co.jp
I also want to point out that using this information is quite complicated and would not be easy to implement, but the fact remains that you can be proactive now and prevent your certificate from being used in a malicious way.