Last week the IT security community lit up with the news that a team of researchers demonstrated how they could force digital certificates -- those digitally signed files that make it possible for software to vouch for its publisher -- and Web sites to safely identify themselves.If you're not familiar with the news last week, colleague Mike Fratto summed up the importance of this research into digital forgery in this post.
On New Year's Eve, VeriSign announced that as of Tuesday, it's making the transition from the weakened (MD5) algorithm to the stronger SHA-1 algorithm:
VeriSign Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced an immediate transition to the SHA-1 algorithm on new RapidSSL brand certificates as of 11:00 a.m. Pacific on Tuesday, December 30. Additionally, VeriSign is offering free re-issuance of RapidSSL Certificates on the SHA-1 algorithm to replace those created with MD5.
The transition to the SHA-1 algorithm came within a few hours of the public unveiling of an MD5 flaw presented by researchers during the 2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5 flaw ineffective for all new RapidSSL Certificates.
During the Berlin event, researchers presented findings that highlighted an MD5 collision attack using substantial computing power to create a false SSL Certificate using the RapidSSL certificate brand. The attack was a potential method to create a new, false certificate from scratch and required the issuance of new certificates, meaning existing certificates were not targets for this attack.
VeriSign also made a point to note that it already had been well under way in phasing out the MD5 algorithm by the end of this January.