SSL broken! Hackers create rogue CA certificate using MD5 collisions

SSL broken! Hackers create rogue CA certificate using MD5 collisions

Summary: Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S.

SHARE:
TOPICS: Browser, Security
77

Alexander SotirovUsing computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable. Jacob Appelbaum

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates.  The most commonly used Web browsers -- including Microsoft's Internet Explorer and Mozilla's Firefox -- whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

"We basically broke SSL," Sotirov said in an interview ahead of his 25C3 presentation.

Our main result is that we are in possession of a "rogue" Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the "root CA certificates" present in the so called "trust list" of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as "secure", using common security indicators such as a closed padlock in the browser's window frame, the web address starting with "https://" instead of "http://", and displaying reassuring phrases such as "This certificate is OK " when the user clicks on security related menu items, buttons or links.

Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.

According to Sotirov, a rogue CA in combination with Dan Kaminsky's DNS attack can have serious consequences:

For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users' passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.

Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues -- some practical and some political -- there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.

To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key.   "We're also not going to release the special code that we used to do the MD5 collisions until later this year," Sotirov added.

"We don't anticipate this attack to be repeatable very easily.  If you do a naive implementation, you would need six months to run it successfully," he added.

Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: "It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard."

Further details:

Colliding certificates:

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

77 comments
Log in or register to join the discussion
  • At least they're talking to the vendors first.

    Now if only the CAs will get off their butts and implement some changes...
    Letophoro
    • CAs and SSLs Are Irrelevant to Phishing Attacks:

      CAs and SSLs are irrelevant to phishing Attacks because there is another, absolutely sure way to defeat phishing attacks: NEVER TAKE THE BAIT!!! I don't care what kind of security your software provides, when the man says, "Hey, little boy, I've got some candy for you. Just get in the car and I'll take you to the hospital to see your mother who was in an accident." You never, never, never ever get in the car. You scream for help as loud as you can and run.
      <br><br>
      That is, you call your bank or whoever it is the come on purports to originate from. And (as with eBay) you see that the identical message is NOT waiting for you in your in box. Or (as with any other business) the customer rep YOU called tells you that they are not trying to contact you re your account. That way you know for 100% certain that the first message was a fake!
      <br><br>
      Simple, foolproof, but there is one born every minute. That's why the Pigeon Drop or the Nigerian Scam still rope them in even today.<br><br>
      <a href="http://www.westernnewsco.com">Wine Arbitrage</a><br><br>
      Seamus O'Brog
      • WRONG

        Notice your use of the same tactic as phishing scammers. Just lie in bold letters and many people will indeed believe their Bank, Paypal, the IRS etc is sending them a message, will log into the phishing websites official looking site (i.e. identical to the real thing)and give up their information to them and now one of the ways people are told by nearly every site using SSL to check for authenticity has been defeated. Personally I do what you recommend, that is I don't follow links from e-mails I log into eBay etc. and look for the message there. But many people don't and that is the entire point! Yes you have the right idea but CAs and SSLs Are Relevant when it comes to phishing, posting that it is not on ZD has little effect, people that come to this website probably know better than to fall for a fake message, but the general populace of PC users depend on what they are told to check for safe transactions. i.e. [i]If you get a message you think might not be valid check it's security certificate before giving sensitive information.[/i]
        Now even that is not safe so one of the ways to check to be sure the message is legit is out the window.

        NOW add to this searching for your Bank, software site etc through Google often results in fake sites too, one has to be more diligent than ever.
        Timewellwasted
        • Wrong My Aunt Fanny:

          So what you're saying is that, as a member of the IT community making money off this kind of BS security, you encourage the chumps to rely on CAs and SSLs to protect their money even though you yourself don't. In other words, you're selling something you wouldn't dream of buying. Well, sorry, I'm not buying it either.<br><br>
          While I'm not qualified to comment on it, I believe that CAs and SSLs have their legit place in online transactions.<br><br>
          But I am qualified to comment on phishing and I say again, when the man opens the car door and says, "Your mommy's hurt, hop in and I'll take you to the hospital to see her." you do not ask to see his ID, you scream and run. Then you call home.
          <br><br>I repeat, anyone who gets any phishing style email, (ie. "We need to contact you, click this link and we can take care of things.") anyone who gets this type of eMail and doesn't immediately delete it is a damn fool and a fool and his money are soon parted even in cyberspace. Perhaps ESPECIALLY in cyberspace. <br><br>
          <a href="http://www.westernnewsco.com">Wine Arbitrage</a><br><br>
          Seamus O'Brog
          • You May Be Stubborn

            But that doesn't make you right. First I want to ask you just what makes you think I profit from any of the this kind of crap? IT's profit on people getting scammed how?

            Second you are taking this to a completely different level, reality vs. your wishful thinking. People get suckered into this type of behavior constantly, say whatever you want, tell your customers and as many people in the world as you want not to follow links in e-mails or other methods of avoiding getting scammed. Unfortunately there is going to be a percentage that do exactly what the phishing scammers want and follow the link etc. some will even rely on the certificates authenticity as confirmation that it is the real thing.

            This is what phishing scams are all about, fooling people into revealing their personal information to people for exploitation. AND IT WORKS! So don't try to tell me CAs and SSLs Are Irrelevant to Phishing Attacks because you are foolish to believe so. As a matter of fact it is fantasy to think so because it happens EVERY DAY, someone receives a notification/balance information/etc. from their bank, they follow the link and log in and do their business. Some check for CA some don't, some were on their bank's legitimate website and others were not and their banks are notifying them of suspicious activity in Guam on their credit card or some other nefarious activity.
            Timewellwasted
          • Who says...

            that it's going to come from an e-mail? You've seen the recent DNS vulnerabilities. There are still servers out there that are flawed. A DNS redirection attack for your banking site, make the splash page look the same, fake the SSL cert and suddenly that padlock and saying that the SSL confirms it is wellsfargo.com means absolutely nothing. Or how about a local DNS hijacker? Those exist as well.

            Your logic is severely flawed. If the world of computing and security looked at it the way you do, we'd just tell people to get over it. Your computer has malware? Pssh, idiot, get over it. That's a great attitude. Exactly what makes you "qualified" to comment on phishing attacks? From your comments you're barely qualified to use a Talkback at all.
            LiquidLearner
      • Simple, foolproof, ...

        "Simple, foolproof, but there is one born every minute. That's why the Pigeon Drop or the Nigerian Scam still rope them in even today.
        "

        You bet there is, and it's a never-ending supply of suckers for the bottom feeding bass turds on top of it!
        There will always be the gullible, ill, feeble, desparate, hard up, straw grasping types who will keep such crams (crap-scams) alive. That's why they call it social engineering. And people are getting more desparate every day right now.
        twaynesdomain-22354355019875063839220739305988
      • Phishing uses a similarly spelled name

        Phishing uses a similarly spelled name which could use
        a perfectly legitimate SSL certificate with a SHA-256
        or better hash. Phishing also uses fake HTML code
        that shows a legitimate domain which actually takes
        you to a different website. Then the support for new
        character codes in domain names that have very similar
        looking characters could be a future vulnerability.
        The problem is that a significant percentage of
        computer users don't know any better and they're susceptible to these social engineering scams without
        any of these fancy cryptographic breaks or computer
        vulnerabilities.
        georgeou
    • They were not talking to the vendors first....

      After reading the response from Trustico it appears that
      they did not contact the vendors first.

      http://trustico.com/news/press/md5dec08/index.php

      Wouldn't it make more sense to advise the vendors of the
      problem first? Looks like the vendors acted quickly once
      informed (via the media).

      Ian D
      ian.dell
  • RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions

    Time to pay attention to your SiteKey.
    twinbit
    • Sitekey is worthless...

      All the hacker has to do is in the background access the real site with your ID and get the sitekey and present it on the phoney website.
      mrlinux
  • RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions

    ???????????? ??????????, ???????????? ???????????? 25 ??????
    zaza1233
  • RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions

    &#1087;&#1080;&#1079;&#1076;&#1105;&#1078; &#1105;&#1073;&#1072;&#1085;&#1072;, &#1072;&#1074;&#1090;&#1086;&#1088;&#1091; &#1092;&#1072;&#1087;&#1072;&#1090;&#1100; 25 &#1088;&#1072;&#1079;
    zaza1233
  • Test if your certificate has been signed signed with a insecure algorithm

    Networking4all created a tool to check if a
    certificate in the chain has been signed with a
    insecure algorithm

    Example:
    http://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

    You can check all sites on:
    http://www.networking4all.com/en/support/tools/site+check/
    vanbroup
    • Thanks for the links. :) (nt)

      nt
      V@...
    • YES!....TYVM!

      Thank You Very Much vanbroup! I have already started using your test page on serveral sites I use. Very interesting results; I may have to contact their webmasters about some of the scarier results!
      JCitizen
  • SSL not broken... just Cert trust is broken

    Phishing is phishing. Trust of MD5 may be broken but unencryption of MD5 SSL is not undone by any means here. Never trust a padlock... was anyone trusting them? Rogue certs have been in play for some time, web scripts can impregnate certs into local cert stores. A SHA-1 rogue cert can be used just as easily. These geeks are just trying to show off how big their brain is = yay. Hackers go the route of least expense and resistance.

    -Chuck
    Chucks_net
  • I was just looking at stuff myself

    Last night I was looking at the traffic being generated and wondering why MD5 was still being used. Just watching the traffic, I was able to de-construct the MD5 messages in my head. It was pathetic. And SHA-1 is not all that better. And SHA-2 thru SHA-4 have all sorts of issues themselves, and SHA-5 is just a bad ball of wax in itself. They really need a brand new type of encryption to do all this with.
    kokuryu
    • 1f82a5fd55b8a75e47d36d55c72aac77 nt

      nt
      T1Oracle
      • Not that smart then, eh? nt

        nt
        T1Oracle