Certificates

Today I listened to episode 179 of the Security Now podcast. Here's a brief summary:

The main theme was certificates, which are used to encrypt information sent over the internet. For example, banks use certificates to encrypt the data sent to and from your computer when you are performing online banking functions. These certificates are issued to organizations by certification authorities, or CAs, and they can always be traced back to a root CA (like VeriSign). Through a complicated process, some people were able to create a counterfeit certificate that could be traced back to a root CA. This means that their certificate would be trusted by all browsers, plus they could issue new certificates that would be trusted. Now this process was not easy to complete, but it shows that certificates are not completely secure.

So how can I apply this to a web application? Well it is still smart to use certificates to send passwords and other sensitive information over the internet, but there is nothing that I can do to prevent others from creating conterfeit certificates. The web would have to discontinue use of MD5 encoded certificates (which was the encryption that was used on the "cracked" certificate) and use something even more secure.