Advances in Certificate Spoofing

An interesting developing news story in this otherwise slow week has been about a security research effort to spoof SSL certificates. The group has found a way to generate hash collisions between a pair of certificates when the certificate authority uses the MD5 hash function. MD5 is an algorithm that was developed in the early 1990's but has since been replaced with more sophisticated hash functions. However, MD5 remains an option for SSL certificate issuers to use. By controlling what one of the certificates in the pair says and having the other certificate officially signed, the attack allows one to generate illegitimate certificates that appear to have been signed by a trusted authority.