For the last few months we’ve been watching Alex Sotirov tweet about breaking the internet.  Often these posts were cryptic indications of a timing issue, several times resulting in a setback.  Today, Alex along with several other researchers released details on just what they were trying to break, and evidence that they had accomplished their goal.

Utilizing weaknesses in the MD5 hashing algorithm, the researchers were able to create an intermediate CA certificate whose signature was a collision of a previously requested and signed website certificate (legit).  This effectively allows them to sign any website certificate they wish and have it appear as trusted by all common browsers.  This is some very cool work that includes an extensive and thorough write-up located @ http://www.win.tue.nl/hashclash/rogue-ca/.

Most of you reading this post have no doubt already done the reading, but holy crap…this is some awesomeness.

UPDATE:  SSL Blacklist + FF Extension can alert you to SSL certs with MD5 signatures.

Security News Certificates, MD5, SSL