Foxmarks Uses Vulnerable MD5 CertificatesJanuary 13, 2009 – 5:57 AM
I decided to try the ever popular Firefox plugin called Foxmarks that lets you sync and back up your bookmarks and passwords across multiple computers. I didn’t feel comfortable using the password sync quite yet because it will take me a while to trust a 3rd party with that kind of information, but I did want to try the bookmark sync and see what all the hype was about. I got it downloaded and installed and started the registration process through the browser interface and when you are done it sends an email to verify that you’ve given a real email address. I get the email a few seconds later and click the verification link and another Firefox plugin I have called SSL Blacklist alerted me with this error:
Yep, Foxmarks is still handing out vulnerable MD5 certificates that are now known to be even more vulnerable than ever. I certainly do not want to be sending all my account information and website passwords over to their servers now. I think I’ll explore the other option they have that allows you to store your information on your own servers (SSL via SHA1 hashes). I would trust that a lot more.
Note: This problem has since been fixed. See the comments.