By: beamq

beamq — Thu, 30 Jul 2009 03:00:17 +0000

Most of our sites are using MD5. What can we do ?

By: Anonymous

Anonymous — Mon, 05 Jan 2009 17:26:06 +0000

The problem is, it doesn't matter so much that your site uses SHA1 - if any registrar, anywhere, uses MD5, then your site (which is happily using a SHA1 cert on a sane registrar) can be spoofed. In fact, your site using MD5 isn't really useful - if you read the attack paper, they need to predict the serial number of the certificate some time ahead in order to produce the so-called 'birthday block' that they need to convince the CA to embed into the certificate.

So, as a user, you should tell your browser not to trust MD5. And as a webmaster, you should make sure you're not using MD5, because it won't be long before browsers stop accepting it. But it's not about 'safety' for the website itself; until browsers lock down MD5, everyone is vulnerable.

Comments on: Is Your SSL Certificate Signed Using Vulnerable MD5?

By: beamq

By: Anonymous