VeriSign switches to new hash function to secure SSL certs

Share this article:
VeriSign, an SSL certification authority (CA), has announced it is switching from the vulnerable MD5 hash function to SHA-1 after the insecurity of MD5 came to light last week with a practical proof-of-concept attack.

A team of researchers revealed at a hacker conference last week a weakness in the MD5 cryptographic hash function that could enable an attacker to create a rogue certificate and potentially impersonate any website, including those secured by the HTTPS protocol.

VeriSign -- one of six CAs reportedly still using the outdated certificates -- said it has been phasing out the MD5 hashing algorithm and is aiming to discontinue the use of MD5 altogether by the end of January, Tim Callan, vice president of product marketing at VeriSign, told SCMagazineUS.com Monday.

“VeriSign has since discontinued using MD5 when issuing RapidSSL certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack,” the company said in a news release.

VeriSign said customers who have certificates in place using the MD5 hashing algorithm can replace their certificates with RapidSSL SHA-1 certificates for free; VeriSign is temporarily suspending its normal fees for replacement certificates, Callan said.

Shortly after news of the potential attack broke last week, CAs that are still using MD5 came under fire.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: Stolen card data is crime that concerns Americans most

A recent Gallup Crime poll indicates that Americans' top two worries revolve around having credit card data stolen or their computer or smartphones compromised.

Pirate Bay co-founder found guilty for hacking IT service provider

Gottfrid Svartholm Warg was found guilty of hacking an IT service provider in Denmark. This is his second court case for illegally accessing data.

Assume Drupal 7 sites are compromised, unless patched or updated to 7.32 ...

Assume every Drupal 7 website is compromised, unless patched or updated to Drupal 7.32 within seven hours of the disclosure of a highly critical SQL injection vulnerability.