It was announced on Tuesday by an international group of independent security researchers, that they found a significant weakness in the Internet digital certificate infrastructure used by many Internet businesses.
The flaw could possibly allow cybercriminals to create fake certificates that would then be accepted and trusted by many widely used Internet browsers.
The supposed weakness could enable a hacker to impersonate secure Web sites and e-mail servers to launch virtually untraceable phishing attacks, according to the researchers from California, the Netherlands and Switzerland.
The concern is that this bit of technology, known as “Secure Sockets Layer“ (SSL), is what banks and other financial institutions as well as on-line retailers and e-commerce sites use to maintain the security of the transactions.
It was stated by Laboratory for Cryptologic Algorithms that the major browser and Internet players, i.e. Mozilla and Microsoft (Nasdaq:MSFT), have been informed and some have already taken action to better protect their users.
Weakened Net
Internet users may sometimes notice a tiny padlock icon that appears at the bottom of the browser when they visit certain Web sites. This icon provides users with guarantee that the site is secured using a digital certificate. The certificates act as vouchers, enabling the browser to verify its signature using standard cryptographic algorithms.
This is not the first report of a problem with MD5. In 2004, a team of Chinese researchers presented findings that they were able to conduct a “collision attack”, the process of finding two arbitrary values whose hashes collide, and were able to create two separate messages with the same digital signature.
In 2007, another much stronger collision construction was announced by researchers elsewhere. Criminals have been successful at launching phishing attacks even without the certificates. Consumers should also be aware and learn how to recognize false forms.
