At the end of December 2008, at the Chaos Communication Congress in Berlin, three researchers presented a paper in which they used an MD5 collision attack and substantial computing firepower to create a false SSL Certificate using the RapidSSL brand of certificates. 

3Essentials sells RapidSSL certificates, and as such provides the following information regarding those certificates and this MD5 vulnerability.  If you purchased your certificate from another provider, we recommend you contact that provider regarding your questions about the MD5 vulnerability and your SSL certificate.

VeriSign has announced (regarding it's brands Verisign, GeoTrust & RapidSSL)  that the articulated attack was immediately rendered ineffective for all SSL Certificates available from VeriSign. This vulnerability does not affect any existing end-entity certificates, including RapidSSL.

VeriSign has also issued a press release on this issue, and provided the following QUESTIONS & ANSWERS. You may also want to review updates on the VeriSign SSL Blog.

Q: Are the researchers’ claims about the MD5 vulnerabilities accurate?

 A: Because the researchers did not brief VeriSign on their findings, we have only gotten this information on Tuesday, December 30, 2008.  There is nothing in the research that upon cursory examination appears to be inaccurate.  As we have the opportunity to properly examine this paper, we will have a more definitive response to this question.

Q: How has VeriSign mitigated this problem?

A: VeriSign has removed this vulnerability. As of approximately 11:00 am December 30, 2008, the attack laid in Berlin cannot be successful against any RapidSSL certificate nor any other SSL Certificate that VeriSign sells under any brand, including VeriSign, GeoTrust, thawte, and RapidSSL.

Q: As a site operator what do I need to do to protect the security of my site?

A:  No action is required of SSL customers.  No existing certificates are affected by this attack and the vulnerability has been rendered ineffective for all RapidSSL Certificates moving forward.

Q: Is VeriSign going to stop using MD5 as a result of these findings?

A: VeriSign has been phasing-out MD5 over the past two years; the planned phase out date has been on the roadmap for late January 2009 (less than one month from now).  In light of last week’s presentation, VeriSign will be accelerating this phase-out to the earliest safe date.  We will notify the public when the phase-out is complete. 

As of December 30, 2008, we have discontinued using MD5 when we issue RapidSSL certificates, and we have confirmed that all other SSL Certificates we sell are not vulnerable to this attack.

Q: Why has it taken so long for VeriSign to phase out MD5?

A:  Sunsetting a legacy technology within a business ecosystem takes time to be phased out as revoking and replacing certificates could potentially halt a customer's online business.  As mentioned above, VeriSign will be accelerating this phase-out to the earliest safe date.  We will notify the public when the phase-out is complete.  

Q: How many Web sites are affected?

A:   Zero.  The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. The researchers did not demonstrate an attack against existing end entity certificates.  In other words, you cannot use this attack to break a certificate that already has been issued to a site.

Q: Does the vulnerability impact only sites using RapidSSL certificates?

A:   This vulnerability does not affect any existing end-entity certificates including RapidSSL.

 
Q: What happens to customers who have certificates in place using the MD5 hashing algorithm?

A: The research revealed a potential attack that required the issuance of new certificates. Existing end entity certificates are not at risk from this attack.

Until further notice VeriSign is suspending its normal replacement fees for these certificates. Because this replacement is not necessary to ensure the continued security of sites, we are not requiring the replacement of such certificates, as we have previously with the likes of weak Debian keys.

Q: The researchers mentioned that Extended Validation SSL Certificates are not vulnerable to the attack because they do not allow MD5. Is that true?

A: This is correct; EV SSL Certificates utilize the latest hash algorithm and are not affected by the newly-revealed MD5 vulnerabilities. The MD5 researchers specifically reinforced that EV SSL Certificates are safe from this attack. They stressed the need for consumers to move to EV-compatible browsers to get the most benefit from EV. 

Q: Is Internet security broken?

A: Hardly. The presenters of this paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.