A team of researchers presenting yesterday at the 25th Annual Chaos Communication Congress held in Berlin,  have successfully demonstrated an attack against X.509 digital certificates signed by a trusted Certification Authority (CA) using the MD5 hashing algorithm. The attack method makes use of MD5 collision techniques which were known to exist since 2004 but demonstrated in practice for the first time.

Read more about the details here.

The discovery, however, does not post a serious security risk as the technique has not been disclosed. Furthermore, most CAs are already using at least SHA-1 for the hashing function instead of MD5. The slow mover, VeriSign, acknowledged the attack today and confirms that all certificates issued are not vulnerable to the new attack.

If you are still paranoid, get hold of an Extended Validation Certificate.

Happy New Year 2009!

Update (January 2 – 10:30PM +4GMT) – A Firefox plugin has been released that warns users about certificate chains that utilize MD5 hash algorithm for the RSA signature.