Security

An SSL security guru is urging incentives to promote website certificate upgrade in response to problems with a widely-used digital-signature algorithm. Collisions in the MD5 hashing algorithm mean that two different inputs can produce the same output. Last year independent researchers showed how the cryptographic flaw might make it possible to forge counterfeit digital certificate credentials. The trick might be used to set up phony websites with bogus certificates that, as far as a visiting surfer's browser is concerned, are indistinguishable from the real thing. Dr Taher Elgamal, chief security officer at Axway, who is credited as the inventor of Secure Socket Layer (SSL) technology, told El Reg that solving the problem means moving onto digital certificates that use a more secure SHA-1 or SHA-2 hash function. However, progress has been far too slow, according to Elgamal. Although he didn't have figures the distinguished cryptographer was adamant that the digital certificate refresh process was p[proceeding only at snail's pace, and needed to be pushed along.

Original Article