Security Advisory

Recent Flaw found in hashing algorithm MD5 - GlobalSign not affected

On December 30, 2008 at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack to successfully create a rogue Certification Authority (CA) certificate trusted by all common web browsers and that appeared to have been issued by VeriSign's RapidSSL brand. The full paper is available here.

None of the Certificates GlobalSign issues today use the MD5 Algorithm. GlobalSign has always adopted the most security conscious algorithms and processes for maximum ubiquity. From its inception we have used 2048bit RSA CA Certificates and have never issued directly from our root. We have the SHA1 hash in use across all our CAs and certificates.

Note, there have been no known security compromises from this attack on MD5 and all affected CAs claim to have taken appropriate action.

For more information on why the use of Intermediate Certificates provides a more secure PKI hierarchy with less chance of infrastructural compromise, click here.

To speak to a GlobalSign security representative, please contact your appropriate regional office.