Since the publication of the attack against RapidSSL’s certificate issuing process, numerous stories have been published about how many SSL certificates are suddenly “unsafe”. The best (or worst) example I’ve seen so far is this one at TG Daily. It starts with the following statement:
14% of SSL certificates on the Internet potentially unsafe
Netcraft provided more details on a critical digital certificate vulnerability revealed last week. Although Microsoft downplayed the problem by stating that the successful exploit was not published, Netcraft found that 14% of SSL certificates use the vulnerable MD5 hashing algorithm.
This suggests that there is something wrong with the certificates; if you read the actual publication about the attack, you’ll notice that it requires ordering new certificates, and certificates that have already been issued are not at risk. Your secure website doesn’t become less secure because the certificate it’s using was signed using an MD5 hash. The article then continues to tell us that other CA’s use SHA-1:
The remaining 7000 vulnerable certificates from Thawte and Verisign, but the analysis firm noted that most of their certificates are signed with the SHA-1 algorithm, which is currently believed to be secure. All other certificates on the Internet use only SHA-1.
If you compare this with the actual text from the Netcraft press release they are quoting, you’ll find that they are not actually saying it is “believed to be secure”:
Security remains a moving target, however, as researchers have also started to find weaknesses in SHA1. Although there are no attacks as advanced as those against MD5, it is likely that SHA1 will also be increasingly threatened by collision attacks as research in this area continues. There are more secure cryptographic hashes available, however, so we can expect to see CAs start to phase in newer, stronger hashes over the next few years.
There is a big difference between “believed to be secure” and “we know there are weaknesses, and we’ll switch to a better alternative when it’s available”. The good news is that the attack that was presented will soon become impossible to execute; RapidSSL has stopped using MD5 within 24 hours of the presentation, and Verisign (the owner of RapidSSL) will stop using MD5 entirely by the end of january.