VeriSign Announced It Has Transitioned To Stronger Crypto

Last week the IT security community lit up with the news that a team of researchers demonstrated how they could force digital certificates -- those digitally signed files that make it possible for software to vouch for its publisher -- and Web sites to safely identify themselves.

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Last week the IT security community lit up with the news that a team of researchers demonstrated how they could force digital certificates -- those digitally signed files that make it possible for software to vouch for its publisher -- and Web sites to safely identify themselves.If you're not familiar with the news last week, colleague Mike Fratto summed up the importance of this research into digital forgery in this post.

On New Year's Eve, VeriSign announced that as of Tuesday, it's making the transition from the weakened (MD5) algorithm to the stronger SHA-1 algorithm:

"VeriSign Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced an immediate transition to the SHA-1 algorithm on new RapidSSL brand certificates as of 11:00 a.m. Pacific on Tuesday, December 30. Additionally, VeriSign is offering free re-issuance of RapidSSL Certificates on the SHA-1 algorithm to replace those created with MD5.

The transition to the SHA-1 algorithm came within a few hours of the public unveiling of an MD5 flaw presented by researchers during the 2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5 flaw ineffective for all new RapidSSL Certificates.

During the Berlin event, researchers presented findings that highlighted an MD5 collision attack using substantial computing power to create a false SSL Certificate using the RapidSSL certificate brand. The attack was a potential method to create a new, false certificate from scratch and required the issuance of new certificates, meaning existing certificates were not targets for this attack.

"

VeriSign also made a point to note that it already had been well under way in phasing out the MD5 algorithm by the end of this January.

Read more about:

2009

About the Author

George V. Hulme, Contributing Writer

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights