Not too long ago I wrote up an article on an exploit found in the MD5 Hash that can be used to compromise the security of certain SSL Certificates.

In that I made the comment that "Security experts have discovered that there is a fairly easy way to mimic the digital ID for CA authority sites" however this is not completely true. It is true for all CAs that use the MD5 has for generating their Digital IDs and certificates.

While MD5 is an older and much weaker cryptographic method many CAs have moved on and no longer allow its use. Additionally most companies that use MD5 also allow for fully automated certificate generation. This means that all you have to do to have your certificate created is respond to an e-mail.

Companies like Entrust and VeriSign use a much more in depth method that usually requires verbal authentication by an authorized user and phone number that is pre-set when you create your account with them. Setting up the account is also much more complicated and often requires documentation on company letter head to identify persons authorized to request certificates for the company. They also issue a 3rd level of certificate as part of the new EV (Extended Validation) Certificate standard. This is the intermediate certificate and help with server and CA validation. EV Certificates are also not created using MD5 thus removing one of the biggest fears for web certification.

One big item to help the average browser is that with the introduction of IE 7 the browser is able to differentiate between EV and Non-EV Certificates and graphically displays them. FireFox and Opera 9 also pick up on this new standard and will warn the user that something might not be right with the certificate if the Intermediate Cert is not there.

You can read more about the EV Certificate standard here