Foxmarks Uses Vulnerable MD5 Certificates

January 13, 2009 – 5:57 AM

I decided to try the ever popular Firefox plugin called Foxmarks that lets you sync and back up your bookmarks and passwords across multiple computers.  I didn’t feel comfortable using the password sync quite yet because it will take me a while to trust a 3rd party with that kind of information, but I did want to try the bookmark sync and see what all the hype was about.  I got it downloaded and installed and started the registration process through the browser interface and when you are done it sends an email to verify that you’ve given a real email address.  I get the email a few seconds later and click the verification link and another Firefox plugin I have called SSL Blacklist alerted me with this error:

foxmarks_md5

Yep, Foxmarks is still handing out vulnerable MD5 certificates that are now known to be even more vulnerable than ever.  I certainly do not want to be sending all my account information and website passwords over to their servers now.  I think I’ll explore the other option they have that allows you to store your information on your own servers (SSL via SHA1 hashes).  I would trust that a lot more.

Note: This problem has since been fixed.  See the comments.

  1. 2 Responses to “Foxmarks Uses Vulnerable MD5 Certificates”

  2. (Disclosure: I work at Foxmarks.)

    Hi,

    Thanks for your post. We fixed this problem earlier today. Note that:

    (1) We’re not a certificate authority — we weren’t handing out certificates.

    (2) The SSL vulnerability that’s now been addressed is not one that would have compromised your passwords — those have always been encrypted (independently) using AES.

    We use SSL as an added level of security to ensure that Foxmarks running on your computer is talking with our servers and that no one was eavesdropping on that conversation.

    So, in principle, the worst thing that could have happened would be for some malicious third party to observe some communication between your computer and our server. All the password data is already encrypted, so, while we’re glad that this hole is now plugged, the actual risk exposure here is negligible.

    -Todd

    By todd on Jan 13, 2009

  3. Thanks Todd.

    And yes, I understand #1. I should have worded that a bit better.

    Thanks for the comment. I will update the post that this problem has now been fixed.

    Troy

    By manunkind on Jan 13, 2009

You must be logged in to post a comment.