Bottom line up front: Risk has not changed significantly as a result of research into rogue Certificate Authority attacks. This is a significant attack on an obsolete hash algorithm, but there is no known threat, and countermeasures are already taking place to reduce and possibly eliminate the potential that a threat actor will succeed using this attack.

There are numerous explanations of the technical vulnerability announced Tuesday, December 30, 2008 at the Chaos Communications Congress in Berlin. Brian Krebs at the Washington Post has done his customary superb job of making this understandable to the average Internet user. Professor Ed Felten at Princeton University crafted a version for those security professionals not normally earlobe-deep in cryptography and PKI. And Professors Gene Spafford at Purdue University and Steve Bellovin at Columbia University each have perspectives beyond the technical to explain how this happened and what information professionals can and should do now. They explain how this problem has been stalking us since 1996 and how we hit the snooze alarm then, in 2004, 2005, and last year.

(more…)