After some time ago about the existence of MD5 CA Internet issues, new problems emerged, and more serious.
First, let us look back. A while ago, Berlin's "chaotic communication" meeting on the report of the information outlined in the CA hash function handling the main problems the way, an attacker could use MD5 hash algorithm entirely vulnerability to attack.
Based on Hash (hash function), hash function feature allows the software and less predictable in the amount of data generated on the operation of the digital signature, and the original information content has remained the high correlation between, and effectively guarantee that the information in the digitally signed did not make any changes)) "conflict", the theory as early as 2004 have been proposed, and now has become a real problem within the domain.
In the previous article, two reporters told me to make some profound questions for further study (oiaohm and Lawrence D'Oliveiro), I will submit their views to the team is studying the CA issues and on related issues in this discussion. In addition, other problems will be addressed.
Those who still rely on MD5 algorithm to verify high-level Certificate Authority Center (CA) there are problems, and the security team has reminded the Certificate Authority Center reported immediate need to change the hash algorithm, but it is not easy.
Oiaohm said: "The camouflage Certificate Authority Center Certificate Authority Center issued and the same real key to hide themselves, attack the target site, the problem here is the flow of how to re-locate to camouflage Certificate Authority Center."
Benne de Weger said that: "real website of the public key can indeed Certificate Authority Center issued by the disguised, but it has no practical use, because the attacker can not obtain the appropriate key."
Oiaohm further pointed out that these problems will be reflected in the windows driver signing on (Windows driver signing), and de Weger said: "It depends on the release certificate of the Certificate Authority that operates the center."
Security experts noted that the only solution is to abandon the browser from the mainstream of these CA's root certificate, but until then, users can reset your browser configuration, remove the suspect from the list of trusted certificates certificate.
Upgrade your browser to refuse to update the MD5 certificate from a certificate authority center, feasible? If need refusal from these authorized centers of all upstream and downstream data?
De Weger clear that this problem can not be resolved quickly, which is the MD5 can not revoke the existing certificate of reasons. De Weger added, even if the authorized centers to stop using MD5, can not be measured to solve the problem, because so many of the existing certificate revocation will lead to large waves on the Internet.
MD5 security risks exist, there is no efficient solution. Hope that the relevant security research organizations to improve as soon as possible.