A group that presented at the the Chaos Communication Congress in Berlin
showed the ability to convert a non-CA certificate into a CA
certificate, breaking the trust of the PKI.
This was done by using a large array of fast computers (200 Playstation
3's) in order to create a CSR that would force a weakly signed
Certificate. This certificate normally would not be allowed to sign
By copying the MD5 signature from the real non-CA certificate to a
crafted CA certificate, the group was able to sign authoritatively for
the root CA. These certificates would be accepted in all major browsers.
Since then, major root level CAs have switched from MD5 to SHA1 for
their signature algorithms.
At IAS, we use RapidSSL certificates signed by MD5 as a low cost
solution to our PKI. Previously issued certificates are not vulnerable
In addition, MD5 signatures were used for IAS internally signed
certificates. These previous certificates are also not vulnerable to
Going forward, ssldirect.com has changed their RapidSSL signature
algorithm to SHA1. Also, our internal CA has been changed to sign in
SHA1. This will avoid the submission of crafted CSRs to take advantage
of this vulnerability.
Bottom line is, although interesting, and further proof that the MD5
algorithm should no longer be used, this does not increase IAS's risk or
It should also be noted that there has been research and evidence that
SHA1 collisions have been crafted. There may be similar attacks in the
future on SHA1. The Security community has suggested investigating
SHA256, SHA512 and has put out requests for SHA3, the next cryptographic