Microsoft Downplays MD5 Hashing Algorithm Hack

In its response to security researchers’ claims of a method to launch undetected attacks on users’ PC by creating forged digital certificates, Microsoft Corp. has asserted that it is not expected to pose any significant threat to users.

Microsoft in its security advisory recognized the exploit of bugs in ‘MD5 hashing algorithm’, so as to create fake digital certificates that serve as a testimony for safe and secured connection between users and websites.

Downplaying the threat to the users, Microsoft said, “This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information”.

In addition, the software giant notified that it hasn’t observed any attacks that have been described the group of security researchers from the US, the Netherlands, Germany, and Switzerland.

While most of the vendors that issue security certificates have upgraded to the latest SHA-1 algorithm, and dumped MD5 algorithm for creating digital certificates, Microsoft added.

Earlier, during the 25th annual Chaos Communication Congress in Berlin, a consortium of researchers had demonstrated the way to create fake digital license of RapidSSL, a firm frequently used by browsers to differentiate genuine websites from malicious ones, and the method was illustrated on around 200 PlayStation 3 gaming consoles.

Go To Page 2 for our comments and more related links

Our Comments

Cryptography is going to play an increasingly important role in everyday life as the number of transactions happening online increases. The current recession is certainly accelerating this as retailers try to cut costs and reduce overheads. Microsoft says that the researchers have not published the cryptographic background to the attack but this doesn't mean that criminals both online and offline won't try to exploit this technique.

Related Links

Researchers' Web Certificate Hack Highlights Big Internet Flaw

(CRN)

Secure Certificate Hack Doesn't Imperil Users

(Tidbits)

Microsoft: MD5 hack poses no major threats to users

(Computer World)

Cracks Emerge in a Web Security Scheme

(Business Week)

MD5 collision creates rogue Certificate Authority

(Crunch Gear)

Researchers Create Web Skeleton Key With 200 PS3s

(Gizmodo)

Boffins bust web authentication with game consoles

(Register)