The MD5 algorithm used by many sites, is not reliable

[Techguru01]

When you visit a Web site whose address begins with "https", a small padlock appears. In theory, this means that the site is secured by an electronic certificate. In practice, all risks are possible. Especially if the certificate uses the MD5 algorithm, which is still used by several authorities of electronic certification.

At a meeting of hackers Chaos Computer Club, which has just ended in Berlin, the results presented Tuesday 30 December leave more room for doubt: this piece of Internet infrastructure is not reliable, and allows hackers create certificates recognized as valid by all browsers.

The news is all the more disturbing ... it is not. This is not the first time, in fact, that the weakness of the cryptographic hash function MD5 is denounced. In 2004, a team of Chinese researchers had reported being able to create with it an attack "collision", by creating two different messages with the same signature.

In 2007, Swiss and Dutch researchers have demonstrated that there was an almost total freedom in the choice of two messages that come into collision. A concept with which these same researchers, who joined an American, are in fact create a false certification authority recognized by reliable Internet browsers.

Their goal? "Encouraging the use of encryption standards safer." Their weapon: a "cluster" (machines used to produce a supercomputer) of more than 200 game consoles available in trade, capable of generating a false Having lost his certificate validity (to prevent any real damage). Means available to hackers. Which could thus, making them bite the hook by "phishing", without their knowledge redirect users to fake banking sites or e-commerce.

Former "Mr. Security" V Mwari Inc. and first signatory of this communication, Alexander Sotirov (New York) was surprised to note that "despite years of warnings, several certification authorities continue to use this algorithm. Out of 30 000 certificates of Web sites, researchers have indeed found almost a third (9 000) employing DM5 in 2008.

"The main browsers and Internet players, such as Mozilla and Microsoft, have been informed of our discovery and some have already responded to better protect their users," reassures Arjen Lenstra, head of cryptographic algorithms laboratory at the Ecole Polytechnique Federal Lausanne. It does not so much as "imperative" that the navigation systems and certification authorities "do not use MD5 and migrate to more robust alternative." As SHA-2, already available, even to his future successor, SHA-3.

[Betsy]

Of course! There is no lock that has no key. Because you can never stop someone from making a key, the principle of protection is to periodically change the locks (proposed SHA-n) or to ensure that the time of manufacture is a key long enough for Information evening become obsolete. Next step: SHA2 and SHA3 are not safe.

[Chetna]

We would have appreciated that the author provides information on the likelihood that this vulnerability is actively exploited short / medium term before waving their arms as if disaster had arrived. MD-5 will be replaced in time, everything is in place.

[Gagnesh]

Not surprisingly, there is a likelihood. For commercial reasons we have some experts to believe the invulnerability of cryptographic systems. It could be on the basis of this article have doubts about the invulnerability of information technology Quotes and ask all relevant questions on the role of mathematics and computer science in rogue wave of the current economic crisis: everything is wrong at the base, we were believers