Microsoft: MD5 hack poses no major threats to users
In reaction to the news that s
In a security advisory , Microsoft acknowledged the disclosure earlier in the day of an exploit of long-known bugs in the MD5 hashing algorithm used to create the digital certificates that in turn provide proof of a secure connection between users and Web sites. But the software vendor minimized the danger that users could face.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. The company added that it wasn't aware of any actual attacks using the techniques described by an international team of researchers from Germany, the Netherlands, Switzerland, and the U.S.
Microsoft also noted that most of the certificate authority vendors that issue digital certificates have abandoned MD5 and upgraded to the more secure SHA-1 algorithm.
However, there are several notable exceptions that still rely on MD5, including VeriSign 's RapidSSL.com certificate authorization scheme. The researchers, who presented their findings at a security conference in Berlin today, said they in fact were able to hack RapidSSL.com and produce fake digital certificates.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. The company added that it wasn't aware of any actual attacks using the techniques described by an international team of researchers from Germany, the Netherlands, Switzerland, and the U.S.
Microsoft also noted that most of the certificate authority vendors that issue digital certificates have abandoned MD5 and upgraded to the more secure SHA-1 algorithm.
However, there are several notable exceptions that still rely on MD5, including VeriSign 's RapidSSL.com certificate authorization scheme. The researchers, who presented their findings at a security conference in Berlin today, said they in fact were able to hack RapidSSL.com and produce fake digital certificates.