In a , Microsoft acknowledged the disclosure earlier in the day of an exploit of long-known bugs in the used to create the digital certificates that in turn provide proof of a secure connection between users and Web sites. But the software vendor minimized the danger that users could face.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. The company added that it wasn't aware of any actual attacks using the techniques described by an international team of researchers from Germany, the Netherlands, Switzerland and the U.S.
Microsoft also noted that most of the certificate authority vendors that issue digital certificates have abandoned MD5 and upgraded to the more secure SHA-1 algorithm.
However, there are several notable exceptions that still rely on MD5, including 's RapidSSL.com certificate authorization scheme. The researchers, who presented their findings at a security conference in Berlin today, said they in fact were able to hack RapidSSL.com and produce fake digital certificates.
A more stringent class of digital certificates, dubbed Extended Validation, are always signed using SHA-1, Microsoft added. "As such, [they] are not affected by this newly reported research," the company's advisory read.