Browser Security Fail, MD5 broken, CA gone rogue


A group of security researchers (Alex Sotriov, Jacob Appelbaum, Mark Stevens, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne De Weger) have identified a vulnerability in the public key infrastructure used to issue digital certificates for secure websites. As a proof of concept they have shown they can perform an attack scenario that creates a rogue Certificate Authority (CA) that is trusted by all common browsers. This allows one to impersonate any website on the Internet, including banking and other transaction based sites secured with HTTPS protocol (SSL) (here) with details (here) Continue reading