This bothers me while still encouraging my overall view behind SSL in the long term. As you can see from the link above, SSL has essentially for lack of a better description…been “hacked”. By coming up with a means of creating a fake Certification Authority, a group of hackers have discovered that SSL can be overtaken with greater ease than we might have ever thought previously.
Now for the good news. Duplicating this is not too likely, at least according to the hackers who are refusing to release the exact key and code used to make the magic happen. Still, the idea of exploiting a weak MD5 cryptographic algorithm in digital signatures and certificates is going to keep me up at night for quite sometime.
It is one thing to simply claim that you will not share what I deem to be very dangerous information with those who might opt to use it for nefarious purposes, but it is also quite another to believe this claim of “doing the right thing”. In the end, I am glad the weakness is public and sincerely hope that those who are in charge of our data security using SSL are working with these individual hackers to find a means of dealing with the MD5 issue itself. Clearly, this does not make me want to put a lot of faith into SSL until this problem has been resolved. Well, at least until the next exploit is figured out that is.