Misleading Security Headline
By Ian Scott
I hate misleading headlines. Every so often, one appears relating to some security issue or vulnerability. Today, I received an email from PC Mag that held my interest for a number of reasons including the fact that I make use of the SSL protocol and manage a number of SSL certificates for clients. The headline?
“SSL Crack Shows You Must Advance Your Security.”
I clicked through to the article and was a bit disappointed to read that the story was unable to show any problems with the SSL protocol at all. What it did discuss was that a research team was able to generate a rogue SSL certificate that web browsers recognized as being issued by an SSL certificate issuer, RapidSSL.
But this has nothing to do with SSL; rather it has to do with the hash function, in this case, MD5, that RapidSSL uses to generate SSL certificates.
Flaws in the MD5 function have been known for years and its been recommended that where hash functions are required, the use of SHA2 be used.
So it is not that there is a problem with SSL itself. The problem lies with the certificate issuers who are still using MD5.
Read more in: Digital Signatures, Encryption, Just Plain Silly |