I was reading yesterday about how researchers had figured out how to create fake SSL certificates for ecommerce sites and shown off how they did it at a security conference. Verisign thankfully has addressed this right away. This was a major flaw which apparently has been known about before now from what I'd heard. It's a wonder anyone does business online.



4:56 PM EST Wed. Dec. 31, 2008

Verisign Inc. is getting rid of its MD5 digital certificates a month early after researchers revealed that an exploitable flaw in the algorithm could allow hackers to impersonate a banking or retail Web site and steal customers' financial data.

Mountain View, Calif.-based Verisign, a managed security service provider, said that it has immediately discontinued the flawed MD5 cryptographic function used for digital signatures, while offering a free transition for customers to move to the more secure RapidSSL brand certificates using the SHA-1 algorithm.

"We applaud this team's research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community," said Chris Babel, Verisign SVP and general manager. "We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online."


Full article (http://www.crn.com/security/212700354)

Thanks for the info Kay.

That was a quick and good resolution to Verisign's flawed security certificates issue. But on the other hand, this issue was already known way back in 2004 as mentioned in the article. They should already have handled this the first time the issue was known and not wait for some researchers to demonstrate how hackers could take advantage of this security flaw.

Verisign Inc. has done a great job in figuring out how to create fake SSL certificates for ecommerce sites so as to prevent happening of such activities in the future but taking into consideration that issue was known way back in 2004 too, the action came too late ...Wonder if hackers might have taken advantage of this flaw during all these 4 years!!!!:rolleyes:

Verisign are a very large and respected company. I don't know for sure but I would suspect that this issue was not greatly manipulated by hackers, if it was I'd imagine that they would have resolved it much quicker.

Verisign are a very large and respected company. I don't know for sure but I would suspect that this issue was not greatly manipulated by hackers, if it was I'd imagine that they would have resolved it much quicker.

Yeah Fergal, Rightly said that if this issue would have troubled Verisign, they might have taken action much before itself & the action which came recently would had been then a matter of past..
But as it goes in the general habits that person do not resolves a problem when it is small & creates havoc when a problem becomes heap over the time...

Very true Scifi - like the old horseshoe nail nursery rhyme.
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.

Very true Scifi - like the old horseshoe nail nursery rhyme.

A very nice poem, Fergal..It reveals the message clearly & effectively but to only those who are ready to understand it!!!!!