The attack suggests that examining a suspect cert for a signing algorithm using MD5 and an unexpected field, such as a “Netscape Comment” extension, is a good way to spot the attack (if you are an expert). Funnily enough, it turns out that comments on MD5-signed certificates are actually fairly common – for example, you can see one here: https://es.gnu.org/. I’m not sure what tool makes these certificates (other than it appears to be OpenSSL based) – anyone out there know?
While I’m on the subject, people have opined that I might have been hasty in judging the authors, since they have, apparently, spoken to some subset of the people they should have. OK, perhaps I should not have used the term “0day”, but responsible disclosure means making a reasonable effort to contact the appropriate people. If you were serious about responsible disclosure and you had an attack on SSL wouldn’t you discuss it with the guys who maintain the most widely used SSL software in the world? I think you would. Perhaps I’m missing something?
And on that note, I think we should remove OpenSSL’s ability to sign with MD5. Unfortunately removing MD5 altogether is pretty much out, since that would break SSL and TLS. Refusing to verify with MD5 would be nice, too, but it looks like that would also break a lot of existing certificates, so I suspect if we’re going to do that, we should schedule it for a while in the future. Also, I’m wondering if we should rename the MD5 functions so that everyone using it is forced to do some kind of code review, if only to decide they’ll continue to use the broken algorithm. Any thoughts?