VeriSign switches to new hash function to secure SSL certs

Share this article:
VeriSign, an SSL certification authority (CA), has announced it is switching from the vulnerable MD5 hash function to SHA-1 after the insecurity of MD5 came to light last week with a practical proof-of-concept attack.

A team of researchers revealed at a hacker conference last week a weakness in the MD5 cryptographic hash function that could enable an attacker to create a rogue certificate and potentially impersonate any website, including those secured by the HTTPS protocol.

VeriSign -- one of six CAs reportedly still using the outdated certificates -- said it has been phasing out the MD5 hashing algorithm and is aiming to discontinue the use of MD5 altogether by the end of January, Tim Callan, vice president of product marketing at VeriSign, told SCMagazineUS.com Monday.

“VeriSign has since discontinued using MD5 when issuing RapidSSL certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack,” the company said in a news release.

VeriSign said customers who have certificates in place using the MD5 hashing algorithm can replace their certificates with RapidSSL SHA-1 certificates for free; VeriSign is temporarily suspending its normal fees for replacement certificates, Callan said.

Shortly after news of the potential attack broke last week, CAs that are still using MD5 came under fire.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.