SSL Certificates With MD5 Cryptographic Standards Considered Insecure - All DigiCert Customers Unaffected.

January 5, 2009 -- On December 30, 2008 a group of security researchers reported that by exploiting a known weakness in the MD5 hashing algorithm, they were able to create a rogue intermediate CA certificate under the "Equifax Secure Global eBusiness CA-1" root certificate, belonging to GeoTrust's RapidSSL brand.

Because all certificates issued by DigiCert use the SHA-1 standard, we are happy to reassure all our past, present, and future customers that these findings do not present any reason for them to worry about the integrity of their DigiCert SSL certificates. The fact that DigiCert uses SHA-1 instead of the outdated MD5, along with various other internal controls, makes the attack by the MD5 researchers impossible.

The recent findings also highlight the problems inherent in the practice of issuing domain validated certificates, which can be issued automatically, with no human element in the verification process. Though frequently the companies that issue these "rapid," "instant," "low assurance," or "automated" certificates tout the speed with which SSL certificates can be issued, these certificates provide no assurance that the certificate belongs to a real company.

To protect our customers, DigiCert issues only organization-validated, high assurance SSL certificates. This, in addition to other security practices, helps to prevent phishing and other abuses.

Netcraft, an internet services and security company, reported the following in addressing the issue:

"The researchers have noted that certificates for Extended Validation (EV) SSL websites cannot be faked in this way - because the EV standard requires SHA1 or better signatures, and indeed there are no MD5-signed EV certificates found by our survey. This shows that requiring minimum standards from the CAs can have positive effects - hopefully browser vendors will take note, and start requiring that CAs apply similar minimum standards to other certificates."

Return to News Archive

Return to Main News Page