Via Ed Felton, news of a medium-sized bombshell in Researchers Show How to Forge Site Certificates:
Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov, Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David Molnar) announced that they have found a way to forge website certificates that will be accepted as valid by most browsers. This means that they can successfully impersonate any website, even for secure connections.
This is a big deal. But as Ed explains, it is based on an making worse a known weakness in the “MD5 with RSA” hashing algorithm. It can be fixed by having Equifax, which uses this now shown-to-be-insecure hast, replace the hash with something better. And having Equifax (and anyone else using it) revoking all existing certs based on this now vulnerable hash. (Which will cause a new wave of people ignoring security warnings…)
And, as Ed wisely notes,
… this is a sobering reminder that the certification process that underlies web site authentication —- a mechanism we all rely upon daily —- is far from bulletproof.