At a recent conference, it was announced that a group of researchers have been successful in creating bogus SSL certificates that will look legitimate to your browser. They did this through something known as md5 collisions. When SSL certificates are made, part of the process is creating an md5 hash associated with that certificate. Then, when you visit say amazon.com, your browser (the client) can check a locally generated hash against the certificate to confirm validity.

The problem with that is these hashes are NOT unique. There are “collisions” that can occur; two completely different files or strings or in this case certificates can have identical hashes. Through some massive computing power, researchers were able to create certificates that mimic the valid hash of certain websites which to say the least is dangerous for anyone visiting a compromised website. You could be redirected to a phishing website for your local bank and it would still look completely legitimate, SSL certificate and all.

People, this is why we have advancements in security. MD5 is a very old technology, and though still a good technology, it has been replaced by newer and better hash functions such as SHA-1 and SHA-2 to name a couple. Using MD5 to me is like saying that DES-56 encryption is good enough when you have AES-256 available to you. It is insanity for the websites that are dealing with the very security of our personal and financial information to not be using the latest and greatest technology.

To check out the presentation given at this conference, go here.