Trust no one:
Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away.
The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorises access to private information.
“It’s not the end of the world yet, but we need to stop using MD-5 and SHA-1 before it is,” notes Dan Kaminsky, an independent security consultant based in Seattle, Washington, US.
Via New Scientist.
