Comments on: MD5 Weaknesses Could Lead to Certificate Forgery http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/ Thu, 19 Nov 2009 15:36:11 -0800 http://wordpress.org/?v=2.8.6 hourly 1 By: WEB Consultant http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-103636 WEB Consultant Mon, 26 Jan 2009 06:34:10 +0000 http://blog.mozilla.com/security/?p=62#comment-103636 MD5 hash algorithm is very old. I think security specialists have to develop something more usefull and strong. MD5 hash algorithm is very old. I think security specialists have to develop something more usefull and strong.

]]> By: event security http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-103622 event security Mon, 26 Jan 2009 01:52:43 +0000 http://blog.mozilla.com/security/?p=62#comment-103622 @Wanda: I think that was just an intermittent error with Facebook that should have resolved itself. @Wanda: I think that was just an intermittent error with Facebook that should have resolved itself.

]]> By: Wanda R http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-103449 Wanda R Fri, 23 Jan 2009 02:42:39 +0000 http://blog.mozilla.com/security/?p=62#comment-103449 I'm not an IT person, just a regular user. I recently switched to Firefox which is quicker and sleeker. Now, all day today, when I try to enter the Facebook application, I get the following...Secure Connection Failed. An error occurred during a connection to login.facebook.com. Can't connect securely because the SSL protocol has been disabled. (Error code: ssl_error_ssl_disabled) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. * Please contact the web site owners to inform them of this problem. What should I do? I can get in with IE but that is sooo sloow. HELP. I’m not an IT person, just a regular user. I recently switched to Firefox which is quicker and sleeker. Now, all day today, when I try to enter the Facebook application, I get the following…Secure Connection Failed.

An error occurred during a connection to login.facebook.com.

Can’t connect securely because the SSL protocol has been disabled.

(Error code: ssl_error_ssl_disabled)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

What should I do? I can get in with IE but that is sooo sloow. HELP.

]]> By: Johnathan Nightingale http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-103307 Johnathan Nightingale Wed, 21 Jan 2009 19:31:13 +0000 http://blog.mozilla.com/security/?p=62#comment-103307 @Nick, and others asking similar questions: We certainly can look at retiring MD5 as a supported algorithm, in fact that discussion is already happening in the mozilla.dev.tech.crypto newsgroup, and the bugs are being worked on. As you anticipate, the decision will need to take into account how much of the internet it breaks. I've got a related post up about how to answer some of those questions, here: http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/ @Nick, and others asking similar questions:

We certainly can look at retiring MD5 as a supported algorithm, in fact that discussion is already happening in the mozilla.dev.tech.crypto newsgroup, and the bugs are being worked on. As you anticipate, the decision will need to take into account how much of the internet it breaks. I’ve got a related post up about how to answer some of those questions, here:

http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/

]]> By: pakman http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-103065 pakman Sun, 18 Jan 2009 16:16:38 +0000 http://blog.mozilla.com/security/?p=62#comment-103065 find more at grc.com/securitynow Breaking SSL, PDP-8's & UltraCapacitors episode 177 a security podcast download http://media.grc.com/sn/sn-177-lq.mp3 find more at grc.com/securitynow
Breaking SSL, PDP-8’s & UltraCapacitors episode 177

a security podcast

download

http://media.grc.com/sn/sn-177-lq.mp3

]]> By: David Mentré http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-102868 David Mentré Thu, 15 Jan 2009 10:31:26 +0000 http://blog.mozilla.com/security/?p=62#comment-102868 Hello, This security issue shows that the security model of Firefox relying exclusively on third party authentication (i.e. the recent demise of self-signed certificates in Firefox 3) is fundamentally broken. One should not be more confident in a Verisign certificate than in a self-signed one. What is really meaningful is when something "strange" happens in the background, e.g. when a website changes its certificate (self-signed or not). Sincerely yours, David Mentré Hello,

This security issue shows that the security model of Firefox relying exclusively on third party authentication (i.e. the recent demise of self-signed certificates in Firefox 3) is fundamentally broken.

One should not be more confident in a Verisign certificate than in a self-signed one. What is really meaningful is when something “strange” happens in the background, e.g. when a website changes its certificate (self-signed or not).

Sincerely yours,
David Mentré

]]> By: Tom K http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-102140 Tom K Sun, 04 Jan 2009 19:26:14 +0000 http://blog.mozilla.com/security/?p=62#comment-102140 How about steps to check whether a cert in the chain uses MD5? An advisory concerning Moz. Products like firefox would be nice! Firefox extension that warns when an https connection relying on a MD5 hashed cert is established? Please take some real steps instead of only copy and pasting the link here. The advice "have caution" is really laughable, how shall i know what to look for if you don't tell me? How about steps to check whether a cert in the chain uses MD5? An advisory concerning Moz. Products like firefox would be nice! Firefox extension that warns when an https connection relying on a MD5 hashed cert is established?

Please take some real steps instead of only copy and pasting the link here. The advice “have caution” is really laughable, how shall i know what to look for if you don’t tell me?

]]> By: Kasper http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-101957 Kasper Thu, 01 Jan 2009 22:11:39 +0000 http://blog.mozilla.com/security/?p=62#comment-101957 I came here hoping to find an official answer to whether setting the security.ssl3.rsa_rc4_128_md5 option to false is sufficient to protect yourself against this weakness. I came here hoping to find an official answer to whether setting the security.ssl3.rsa_rc4_128_md5 option to false is sufficient to protect yourself against this weakness.

]]> By: Steven http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-101930 Steven Thu, 01 Jan 2009 13:11:46 +0000 http://blog.mozilla.com/security/?p=62#comment-101930 Firefox can patch this vulnerability very quickly and very easily (show the world how quickly a Firefox can mitigate the issue!) using the existing SSL verification mechanisms for example: (xxx website uses an insecure security certificate. The certificate is not trusted because the issuer certificate uses the insecure MD5 algorithm. Error code: sec_error_insecure_MD5_issuer_certificate)) Users can still add an exception to the Rule if needed but it would Mitigate the issue because the user would still be warned...It would also put more pressure on affected websites still using MD5 certificates to update them immediately and further mitigate any attack scenarios... The amount of websites using MD5 based certificates are small and if they see their certificate not working with Firefox or showing the "Secure Connection Failed" Page they will request a new certificate immediately... The longer Browsers accept MD5 based certificates the longer it will take to force website operators to update as some people just wouldn't care unless their certificate no longer works... Firefox can patch this vulnerability very quickly and very easily (show the world how quickly a Firefox can mitigate the issue!) using the existing SSL verification mechanisms for example: (xxx website uses an insecure security certificate. The certificate is not trusted because the issuer certificate uses the insecure MD5 algorithm. Error code: sec_error_insecure_MD5_issuer_certificate))

Users can still add an exception to the Rule if needed but it would Mitigate the issue because the user would still be warned…It would also put more pressure on affected websites still using MD5 certificates to update them immediately and further mitigate any attack scenarios…

The amount of websites using MD5 based certificates are small and if they see their certificate not working with Firefox or showing the “Secure Connection Failed” Page they will request a new certificate immediately…

The longer Browsers accept MD5 based certificates the longer it will take to force website operators to update as some people just wouldn’t care unless their certificate no longer works…

]]> By: Gary Covington http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/comment-page-1/#comment-101910 Gary Covington Thu, 01 Jan 2009 04:30:53 +0000 http://blog.mozilla.com/security/?p=62#comment-101910 How do I as a user tell if the certificate is MD5 or later? The little "locked padlock" symbol doesn't say. How do I as a user tell if the certificate is MD5 or later? The little “locked padlock” symbol doesn’t say.

]]>