Cisco Security recommends changing the default behavior of the IOS CA to use SHA-1 hashing instead of the default MD5 hashing for certificates. Although the ASA CA may not be vulnerable to attacks as is the IOS CA, Cisco still recognizes the weakness in MD5 and plans to change the default behavior for the generation of end Certificates.
Cisco Security Response: MD5 Hashes May Allow for Certificate Spoofing
Verisign has stated that it fixed their CA's and even their Rapid SSL CA from using MD5. Versign's Blog on MD5 attacks as you can see from the comments users are concerned about the certificates online that were generated with a MD5 Hash.
MD5 considered harmful today in this publication released in Berlin on Dec. 31st 2008 by Alexander Sotirov, Arjen Lenstra, Dave Molnar, Dag Arne Osvik, Benne de Wegner. Their attack takes advantage of what was a theoretical scenario known as MD5 Collisions which is a weakness in the cryptology of the hash function.
attack.bmp They recommend stronger encryption offered by SHA1 and SHA2 to help prevent a Rogue CA server from being from being the authority of trust.
There maybe other concerns besides just the browser and the web server such as code signing certificates or emai certificates.
Leave a comment