Skip navigation

ChosenSecurity's Response to SSL Vulnerability Paper

According to the research, “MD5 is considered harmful today – Creating a rogue CA certificate” a research team succeeded in generating a rogue CA certificate trusted by all popular browsers. The attack takes advantage of a weakness in the MD5 hash function. MD5 is one of a series of hash functions that are used to check the integrity of data. Such hash functions are used for signing certificates.

 

Theoretical MD5 attacks were published in 2007.

 

The recently published attack on the SSL certificate systems can now be realized, not only because of the MD5 weakness, but also because of other criteria including:

  • The CA processes online requests for MD5 based certificates in an automated way. TC TrustCenter ceased using an online certificate request channel for MD5- RSA server certificates sometime ago.
  • It is possible to predict a serial number with reasonable probability of success. Following the recommendations of the German Signature Act, TC TrustCenter uses a unique method to construct serial numbers which are not predictable.

TC TrustCenter was mentioned in the paper because it uses MD5 based certificates for some of its SSL servers. Due to the methods we use for certificate generation, the attack does not apply here. However, this week, TC TrustCenter has started to replace the MD5 based SSL certificates.

 

In summary, we can state that for a successful attack, certain criteria need to be fulfilled, most importantly, it must be possible to request new MD5 based certificate with predictable serial numbers.

 

We emphasize that TC TrustCenter stopped issuing MD5-RSA based certificates to its customers sometime ago.

 

About ChosenSecurity, Inc. (www.chosensecurity.com)

ChosenSecurity provides digital trust between employees, clients and suppliers doing business over the Internet through on-demand digital certificate management services.

 

On-demand digital certificate management from ChosenSecurity enables a wide range of digital trust applications, such as strong authentication, secure e-mail, digital signatures and data encryption to control access to digital assets, protect against data leakage and support compliance with privacy, e-signature and other regulations.

 

ChosenSecurity was the first to provide digital certificate management through a Software as a Service (SaaS) model and remains the leader through its breakthrough economics, versatility and implementation speed for enterprises. Unlike traditional PKI and private certificate authority (CA) options, ChosenSecurity solutions can be implemented in 70% less time and 70% less cost.