Although this is not a direct WordPress vulnerability, it is a severe vulnerability that webmasters should be aware.

A new paper out this week details the exploit of MD5 and Certificate Athorities (CA). What makes this such a scary and threatening attack is the use of MD5 to secure a website identity. Using the HTTPS protocol, web surfers verify the identity of secure sites by checking for the lock icon and the use of HTTPS in the web address.

Using this exploit, an attacker can fake the authenticity of a website by giving the user a genuine certificate.

What can you do to protect the identity of your site, and sites you visit?

The first thing is to make sure the CA is using SHA-2 instead of MD5. Next is to make sure the CA of the sites you visit do the same. Sure, this isn’t the best advise, and not everyone will take it, but at the moment, it is the only way to be sure you are safe.

Please read through the paper here. It is quite detailed, and will let you know exactly how the exploit was achieved.