Protect yourself against MD5 certificates


SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm.
SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm, and that it's certificate issuer isn't on their black list.

I'm typing this post this evening on my beautiful 2002-vintage iBook with Mac OS X Tiger. Still going strong, definitely the most reliable and dependable system I've ever owned.

To be serious now though: it's official folks, there is now awareness of weaknesses of the MD5 algorithm used to sign secure certificates online. Sites that use the more secure SHA1 algorithm are safer, and RapidSSL is now offering it in place of MD5. Still, some are still using MD5, meaning if you connect to them you're not really using a secured connection.


An attack has been demonstrated yesterday that highlights the practicality of the well-publicized weaknesses of the MD5 algorithm. Essentially, any certificate signed with the MD5 algorithm may be counterfeit.

There is […] a large number of CAs out there, and it is certain that some of them will continue to use MD5 for one reason or another.

Therefore it may be prudent to avoid, or, at the very least, not place much trust in websites that authenticate themselves with the help of MD5. After all, there is no way to automatically distinguish between a chain with a genuine MD5-based certificate signature and a chain with a counterfeit certificate.

A solution to this is a Mozilla Firefox plugin called SSL Blacklist which places a small certificate notice in the bottom right hand side of your browser that indicates whether a page is secured with SHA1 or not secure with MD5. This allows you to make informed decisions when using secured sites, and to let existing web hosts know that they should upgrade.

Even before this vulnerability was demonstrated this plugin was a useful addition to the security conscious internet user's toolkit, but this lastest release makes it indispensable. If you don't have it in other words, grab it now! This is an order!

UPDATE: Steve Gibson also goes into great detail about the exploit and the plugin to protect yourself in Security Now 177.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.