At the 25th Chaos Communication Congress CCC today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.
When you make a secured connection to a website via HTTPS, a public key certificate is sent from the server to your computer. This certificate contains a digital signature which your computer uses to verify the identify of the site to which you’re connecting. Certificates are “signed” by a Certificate Authority CA, which acts as a kind of middle-man: you trust the CA, so you can trust the certificates signed by the CA. Anyone can create a certificate authority, though, so most browsers have a list of known reputable and trustworthy CAs. When your computer gets a certificate from a server, your browser checks the CA that issued it to determine whether the CA is trustworthy. If the CA is trustworthy, your browser assumes that the certificate being presented is trustworthy.
Jeremy Hermanns is a creator of digital ideas, advertising executive, super affiliate, and experienced sailor/pilot. During the day he manages the Performance Marketing Division of 