A team of “security researchers” has announced they managed to issue false SSL certificates by using a md5 vulnerability. This was announced publicly at a hackers’ conference today in Berlin, with full details disclosed here
They were able to do so with a known vulnerability for md5 hash functions, and used an array of 200 PS3s to create a false SSL certificate. The PlayStation 3 was used because of its Cell micro-processor and vector calculations abilities, making it ideal for brute force attacks like this.
This means the SSL protection advertised by banks or ecommerce websites are now rendered compromised.
If you purchased an SSL certificate from RapidSSL or FreeSSL (one of the “cracked” SSL providers), you must take steps to verify the integrity of your servers, even if it’s highly unlikely that a hacker will find the resources to gather 200 PS3s overnight to get advantage of this vulnerability. Look for instance for a provider which uses SHA-1 message authentication, instead of md5
Terms & Conditions
- Applies to hardware iWeb's Montreal data centers only (not software licenses or other services)
- Excludes Intel E3v3, Intel E5v2, Intel Core i3 Core2 Quad or clearance servers
- Promotion applicable to new servers only - cannot be used to replace an existing iWeb server
- Please note that the discount will not appear in the order process but it will be applied after 72 hours
- Cannot be combined with other special offers, promotions or discounts
- Promotion valid until 23:59 January 31, 2015