“A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.”

Its totally retarded that some lame CAs are generating real certs
based solely on the MD5 of the requesting cert rather than the entire
cert. Thats just asking for bad things to happen. especially when MD5
collision attacks have been widely available for years now.

I think that the takeaway here is what I read in my Applied Cryptography
textbook 15 years ago. Cryptography is never permanent security. It only
needs to be good enough to not be crackable in the amount of time the
data is valuable. Which you would think would be the lifetime of a HTTP
transaction, but the way they designed the chain of trust, it can be
cracked at any time. The problem with the browser security model and its
dependence on root CAs and the like is that it basically froze its
security model in time around 1997 or so. Not that anyone thinks twice
about updating the root certs in their browsers, or checking the chain
of trust when they get an error anyway, even people like us that know
better :)

The model is broken and the technology is antiquated. Banks need to come
up with their own security models, preferably ones utilizing two-factor
authentication. You could probably get away with plaintext HTTP if you
gave people secureIDs and made them use it for every transaction,
including ones over the phone. It would render phishing attacks useless
as well. Some banks are doing it for business accounts, but no-one is
doing it for normal checking except for e-trade i believe. All for a
relatively nominal cost, at least in terms of the hardware (keys are
less than $50 each now) When the cost to implement becomes significantly
less than the cost of bank fraud, i guess they will force their users to
use it, or at least offer it as an option.