Submission + - Researchers use MD5 collision to break SSL (cnet.com)
An anonymous reader writes: CNET (and others) are reporting that a team of researchers has just announced at the 25th Chaos Communications Conference in Berlin that they have "broken" SSL. More precisely, they have further developed and exploited previously known weaknesses in MD5 to generate a rouge "certificate authority" SSL certificate which appears valid to browsers. Using this, they can sign new other certificates in any name they choose, opening up serious man-in-the-middle attacks on secure sites.
Note that this is not likely to be a problem in practice, because the exploit is technically difficult to duplicate and they are not releasing full details, nor the rogue CA cert. However — they broke SSL!
Note that this is not likely to be a problem in practice, because the exploit is technically difficult to duplicate and they are not releasing full details, nor the rogue CA cert. However — they broke SSL!