VeriSign announced an immediate transition to the SHA-1 algorithm on new RapidSSL brand certificates. The transition to the SHA-1 algorithm came within a few hours of the public unveiling of an MD5 flaw presented by researchers during the 2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5 flaw ineffective for all new RapidSSL Certificates.
During the Berlin event, researchers presented findings that highlighted an MD5 collision attack using substantial computing power to create a false SSL Certificate using the RapidSSL certificate brand. The attack was a potential method to create a new, false certificate from scratch and required the issuance of new certificates, meaning existing certificates were not targets for this attack.
Because the exploit never impacted certificates already in production on Web sites, including previously-issued RapidSSL Certificates or any other VeriSign brand certificate, current certificates used by banks, brokerages, online merchants, and all other SSL-using entities were not affected by this exploit.
Chris Babel, SVP and General Manager of VeriSign commented:
We applaud this team’s research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community. We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online.