Friday, January 9, 2009

SSL Blacklist - Useful tool for recent MD5 risk

Marton Anka (www.CodeFromThe70s.org) has a pretty nifty tool for detecting pages that use certificate chains with signatures based on the MD5 algorithm which was recently attacked.

The tool is a Firefox extention, that pops-up a window informing the user that the certificate used by the page is potentially compromised and that access to that url may be not be secure. Here is a screenshot:




















Following the recent compromise of SSL certificates and the fact that a lot of DNS servers still remain unpatched against the Kamnisky attack, this is a tool that I am using and would recommend to anyone. Keep in mind that this only informs you about a potential risk. It does not know if the certificate is indeed insecure (as there is no way to know this).

Also, after listening to my favorite podcast (Security Now!), certificates can be reissued for free so they are signed using SHA1 instead of MD5. So, when you come accross a site that has an MD5 signed certificate, drop a message to the webmaster to inform them about this.

No comments: