ZDNet reports a group of US and European hackers managed to target a known weakness in the MD5 algorithm to create a "rogue" Certification Authority (CA). To achieve this, they used the computing power of a cluster of 200 PlayStation 3 consoles.
The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable. Jacob Appelbaum
The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).
“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.