MD5/rogue CA attack: The sky is not falling

MD5/rogue CA attack: The sky is not falling

Summary: Guest post by John Viega Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers.   In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser.

TOPICS: Security

Guest post by John Viega

John Viega Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers.   In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser. People are declaring the entire Internet is broken, and that it will be hard to fix.  This is simply not true.

The major misconception I’m seeing over and over is that the problem allows the bad guy to steal the signature off any valid MD5 signature from any certificate on the Internet.

[ SEE: SSL broken! Hackers create rogue CA certificate ]

Actually, the attack works by a bad guy generating two certificates, one that is just a regular web site certificate, and the other that is a CA certificate.  Then, to get the CA certificate trusted, the bad guy submits the web site cert.  If he can predict the internal values the CA will use when he starts generating the certificate (a process that takes a few days right now), then he will get back a signature that can be pasted onto the CA cert.   That allows the CA to generate new certs to impersonate anybody on the Internet (e.g.,

This means that existing certificates aren’t currently an attack vector, unless they were actually used in an attack.

As a result, this hole is easier to close than people think.  The few CAs signing certs with MD5 need to switch to SHA1 (or something stronger).  That immediately gets rid of the problem for new certs.

[ Chris Eng: An easy fix ignored ]

For old certs, the risks are also pretty low.   Just because of the up-front costs of research and development that would have been necessary, there’s a very good chance that bad guys have focused on low-hanging fruit like social engineering, instead of investing the research dollars.

Once the researchers publish technical details on the tricks they used to make the attack cost effective, then probably some bad guys will try, as long as there are still vulnerable CAs.  My guess is that there won’t be.

Even if some bad guys have done all the work, it’s unlikely to have been used more than a handful of times.  Either the bad guys will use their fake CA credentials selectively as to not get caught, or they will get caught quickly, and the certs will be blacklisted.  Either way, the long term risks are negligible, as long as all CAs migrate from MD5 immediately, or take other precautionary measures, such as using a random certificate ID instead of a sequential one.

And for those CAs that don’t take mitigating steps immediately, the operating systems and browsers of the world should move to blacklist them ASAP.

Right now, the only CA that seems to consistently sign using only MD5  (signing with both also thwarts this attack) is RapidSSL/FreeSSL (FreeSSL is owned by RapidSSL, and is used for trial certs).  Who knows why these guys have not migrated away from MD5.  But assuming they do it soon, there is little to worry about.

* John Viega is CEO of Stonewall Software and author of several security books including the classic Building Secure Software (Addison Wesley, 2001), and the forthcoming Myths of Security (O'Reilly, 2009). Follow him on Twitter.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • CA changing to something other than MD5...

    is the easy part, The new CA Certs will need to be deployed along with new Certs for the websites. Also the Cert Revocation list should be updated.
  • RE: MD5/rogue CA attack: The sky is not falling

    I really do appreciate Viega's sober correction to the panic inspired by the first article on this topic I read: "SSL is broken".

    After all: after reading the first article, I was pretty sure the right response is, "fine, I just won't trust any cert using MD5". And now Viega has confirmed that I was mostly right, adding the correction that I only need worry about NEW certs.
    • You need to worry about any cert with MD5

      The hackers can back date certificates!!!
      • Not to mention

        All the browsers will need updated to reject the MD5

        Apparently Viega knows some magical way of pulling
        this off very quickly.

        Well all I have to say is good luck.
  • Reasonable post.

    Wow, John. You seem like a pretty nice guy IRL after all.
  • Not impressed... the crack, but amazed at the power of the Playstation 3. This is done so quickly by using a 200-machine PS3 cluster. At up to 2 TFLOPS each, the PS3 is a monster for computing apps!
    • PS3 Supercomputer

      Try Googling that heading, you'll find that just 8 PS3s linked together can replace a supercomputer. 200 of them is an incredibly massive amount of computing power.
    • It's true that the PS3 is amazing

      But it would probably be more economical to to buy the
      Cell processors on their own, since with the PS3
      you're also paying for a great video card.
  • RE: MD5/rogue CA attack: The sky is not falling

    Actually, CAs can just use their existing certs, as long as they
    sign all certs using SHA1 or better. Note that all CAs affected
    have already fully resolved the problem.
    John Viega
  • I know little about the subject, but ...

    I take these and most warnings with a grain of salt, including this post. Obviously I don't have to depend on them, so ... mostly NBD, but even when they would affect me, I still don't go overboard until/unless I see more than a proof of concept. To do more I would have to move from a healty paranoia state to one of obsessive paranoia IMO, and although I appreciate pro-active methods, I won't go overboard with them. It may be Famous Last Words, but that's served me well so far and the odds seem to stay in my favor.
  • Difficult to use the attack

    It seems like they had to make a real effort to make the "real" CA in the way they needed to make it fit with their fake CA, f.e. buying hundreds of CA-certificates in order to get the serialnumber right and asking for it with a second precision to get the timestamp right...
  • Actually, the sky has fallen before the MD5 attack
  • RE: MD5/rogue CA attack: The sky is not falling

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>