I’m in two minds whether to even talk about this, but I guess it’ll be all over the ‘net soon.
A rather lovely attack on X.509 certificates exploiting the weakness of MD5 was released today. Read the (very well written) paper for all the gory details, but the short version is you construct a pair of certificates with colliding MD5 hashes. One of these you send off to get signed, and the other you carefully arrange to have the “CA” bit set. This means the second certificate can now be used to sign any other certificate: in effect you have become a CA, using what is known as a chained CA certificate.
So why are they morons? Because they chose to 0day this attack. Why? Users could have been protected from this exploit quite easily – only browsers and CAs had to be notified, which is easily achievable without premature public disclosure. I have no idea why they chose not to do this, but they’ve certainly destroyed any trust I had in them – which is a shame, at least some of them were people I respected.
Ironically, their attack is rendered somewhat pointless right now, as it has been recently shown that Comodo will issue a certificate for any website to anyone at all, without verification.