VeriSign switches to new hash function to secure SSL certsVeriSign, an SSL certification authority (CA), has announced it is switching from the vulnerable MD5 hash function to SHA-1 after the insecurity of MD5 came to light last week with a practical proof-of-concept attack.
A team of researchers revealed at a hacker conference last week a weakness in the MD5 cryptographic hash function that could enable an attacker to create a rogue certificate and potentially impersonate any website, including those secured by the HTTPS protocol.
VeriSign -- one of six CAs reportedly still using the outdated certificates -- said it has been phasing out the MD5 hashing algorithm and is aiming to discontinue the use of MD5 altogether by the end of January, Tim Callan, vice president of product marketing at VeriSign, told SCMagazineUS.com Monday.
“VeriSign has since discontinued using MD5 when issuing RapidSSL certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack,” the company said in a news release.
VeriSign said customers who have certificates in place using the MD5 hashing algorithm can replace their certificates with RapidSSL SHA-1 certificates for free; VeriSign is temporarily suspending its normal fees for replacement certificates, Callan said.
Shortly after news of the potential attack broke last week, CAs that are still using MD5 came under fire.