VeriSign switches to new hash function to secure SSL certs

Share this article:
VeriSign, an SSL certification authority (CA), has announced it is switching from the vulnerable MD5 hash function to SHA-1 after the insecurity of MD5 came to light last week with a practical proof-of-concept attack.

A team of researchers revealed at a hacker conference last week a weakness in the MD5 cryptographic hash function that could enable an attacker to create a rogue certificate and potentially impersonate any website, including those secured by the HTTPS protocol.

VeriSign -- one of six CAs reportedly still using the outdated certificates -- said it has been phasing out the MD5 hashing algorithm and is aiming to discontinue the use of MD5 altogether by the end of January, Tim Callan, vice president of product marketing at VeriSign, told SCMagazineUS.com Monday.

“VeriSign has since discontinued using MD5 when issuing RapidSSL certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack,” the company said in a news release.

VeriSign said customers who have certificates in place using the MD5 hashing algorithm can replace their certificates with RapidSSL SHA-1 certificates for free; VeriSign is temporarily suspending its normal fees for replacement certificates, Callan said.

Shortly after news of the potential attack broke last week, CAs that are still using MD5 came under fire.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.