Home » Articles » Netcraft Finds Bank, Government, Web Host Sites Using Vulnerable MD5-Signed SSL Certificates

Netcraft Finds Bank, Government, Web Host Sites Using Vulnerable MD5-Signed SSL Certificates

by Nicole Henderson

More than a thousand websites, including a few belonging to web hosts, are using SSL certificates signed using the MD5 digest algorithm, which Netcraft says is vulnerable to attack.

In Netcraft’s August 2012 SSL Survey, released on Friday, all but two of the 1,123 unique MD5-signed certificates in use were issued by Equifax between 2006 and 2008. The remaining two certificates were issued by VeriSign, and are due to expire within a month.

In 2008, a security researcher showed how a MD5 hash collision could be exploited to create a rogue CA that would be trusted by all common browsers. At the time, Netcraft found that 14 percent of all SSL certificates were signed using the MD5 algorithm.

The CA/Browser Forum no longer allows the MD5 digest algorithm to be used for root, subordinate or subscriber certificates, and all major browsers but the latest version of Mozilla Firefox no longer support MD5-signed certificates.

As certificates using the MD5 are still in use, despite the fact that they are largely untrusted, the lack of widespread standards across different security vendors is apparent. With the inconsistency across browsers, end-users could still be at risk.

Aside from “purportedly secure hosting providers”, sites using MD5-signed certificates include government sites in Australia, New Zealand, Ireland and the UK. Others include Reliance Bank and Commencement Bank, plus several online billing websites, “dozens of corporate webmail services” and a reseller of GeoTrust SSL certificates. This last one is rather peculiar since GeoTrust itself has added the affected certificates to its certificate revocation lists, hich has resulted in the certificates being rejected as invalid in many browsers.

In the July survey, Netcraft reported a significant number of websites involved in phishing scams enable encrypted connections via valid SSL certificates.

Talk back: Do you have any customers still using certificates signed using the MD5 digest algorithm? Let us know in a comment.

Wednesday, Sep 5th, 2012