Yes, these vulnerabilities are real. The world of security is about reducing, not eliminating, risks and threats....
What Mr. Kaminsky pointed out is that many PKI certificate common names are still being created using old hash functions -- MD5 and MD2 -- which are known to have exploitable weaknesses, instead of the stronger SHA-2 family of hash functions (SHA-224, SHA-256, SHA-384 and SHA-512).
Does this mean that PKI is no longer a trusted method of protection? No. As with any security technology, it's up to IT and security personnel to ensure that their protection and authentication technologies are kept up-to-date and that they follow the latest configuration and deployment recommendations such as those outlined by the OASIS Public Key Infrastructure Adoption (PKIA) Technical Committee or the NIST Federal PKI program (FPKI).
It's a fact that there are people out in the world actively working on gaining access to your information. PKI certificates, as an encryption/decryption method for protecting this information, are prime targets of attack, but they will still work well if the technology is kept current.
For more information:
- Learn more about security, authentication and implementation for PKI and digital certificates.
- Should PKI be used for laptop encryption? Read more.
Dig Deeper on PKI and digital certificates
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading