Well, not completely…

During the last days I’ve been viewing some of the talks of 25C3 which are streamed live via the net. Very entertaining and informative. About an hour ago in a talk called “Making the theoretical possible” an international group of security researchers showed that the MD5 weakness which is known since a few years can be used to create a rogue certificate authority certificate which allows to sign arbitrary certificates which are accepted by all major web browsers.

That means that even if your web-browser shows that the connection to www.yourbank.com is encrypted and the SSL-certificate is valid, it’s still possible that a man in the middle reads or modifies the communication between your browser and your bank.

On one hand this was bound to happen sometime after the MD5 weakness has been published. On the other hand, it’s extremely disturbing that until today CAs still issue SSL certificates using MD5 hashes and only a practical demonstration will urge them to finally use safer hashing algorithms.

All the details are here: http://www.win.tue.nl/hashclash/rogue-ca/