SSL broken! Hackers create rogue CA certificate using MD5 collisions
Summary: Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S.
Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.
The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable. 
The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers -- including Microsoft's Internet Explorer and Mozilla's Firefox -- whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).
"We basically broke SSL," Sotirov said in an interview ahead of his 25C3 presentation.
Our main result is that we are in possession of a "rogue" Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the "root CA certificates" present in the so called "trust list" of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as "secure", using common security indicators such as a closed padlock in the browser's window frame, the web address starting with "https://" instead of "http://", and displaying reassuring phrases such as "This certificate is OK " when the user clicks on security related menu items, buttons or links.
Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.
According to Sotirov, a rogue CA in combination with Dan Kaminsky's DNS attack can have serious consequences:
For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users' passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.
Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues -- some practical and some political -- there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.
To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key. "We're also not going to release the special code that we used to do the MD5 collisions until later this year," Sotirov added.
"We don't anticipate this attack to be repeatable very easily. If you do a naive implementation, you would need six months to run it successfully," he added.
Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.
The key takeaway, according to Lenstra: "It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard."
Further details:
- Detailed explanation
- Slides from the 25c3 presentation
- Demo site (set your system date to August 2004 before clicking)
Colliding certificates:
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
At least they're talking to the vendors first.
CAs and SSLs Are Irrelevant to Phishing Attacks:
<br><br>
That is, you call your bank or whoever it is the come on purports to originate from. And (as with eBay) you see that the identical message is NOT waiting for you in your in box. Or (as with any other business) the customer rep YOU called tells you that they are not trying to contact you re your account. That way you know for 100% certain that the first message was a fake!
<br><br>
Simple, foolproof, but there is one born every minute. That's why the Pigeon Drop or the Nigerian Scam still rope them in even today.<br><br>
<a href="http://www.westernnewsco.com">Wine Arbitrage</a><br><br>
WRONG
Now even that is not safe so one of the ways to check to be sure the message is legit is out the window.
NOW add to this searching for your Bank, software site etc through Google often results in fake sites too, one has to be more diligent than ever.
Wrong My Aunt Fanny:
While I'm not qualified to comment on it, I believe that CAs and SSLs have their legit place in online transactions.<br><br>
But I am qualified to comment on phishing and I say again, when the man opens the car door and says, "Your mommy's hurt, hop in and I'll take you to the hospital to see her." you do not ask to see his ID, you scream and run. Then you call home.
<br><br>I repeat, anyone who gets any phishing style email, (ie. "We need to contact you, click this link and we can take care of things.") anyone who gets this type of eMail and doesn't immediately delete it is a damn fool and a fool and his money are soon parted even in cyberspace. Perhaps ESPECIALLY in cyberspace. <br><br>
<a href="http://www.westernnewsco.com">Wine Arbitrage</a><br><br>
You May Be Stubborn
Second you are taking this to a completely different level, reality vs. your wishful thinking. People get suckered into this type of behavior constantly, say whatever you want, tell your customers and as many people in the world as you want not to follow links in e-mails or other methods of avoiding getting scammed. Unfortunately there is going to be a percentage that do exactly what the phishing scammers want and follow the link etc. some will even rely on the certificates authenticity as confirmation that it is the real thing.
This is what phishing scams are all about, fooling people into revealing their personal information to people for exploitation. AND IT WORKS! So don't try to tell me CAs and SSLs Are Irrelevant to Phishing Attacks because you are foolish to believe so. As a matter of fact it is fantasy to think so because it happens EVERY DAY, someone receives a notification/balance information/etc. from their bank, they follow the link and log in and do their business. Some check for CA some don't, some were on their bank's legitimate website and others were not and their banks are notifying them of suspicious activity in Guam on their credit card or some other nefarious activity.
Who says...
Your logic is severely flawed. If the world of computing and security looked at it the way you do, we'd just tell people to get over it. Your computer has malware? Pssh, idiot, get over it. That's a great attitude. Exactly what makes you "qualified" to comment on phishing attacks? From your comments you're barely qualified to use a Talkback at all.
Simple, foolproof, ...
"
You bet there is, and it's a never-ending supply of suckers for the bottom feeding bass turds on top of it!
There will always be the gullible, ill, feeble, desparate, hard up, straw grasping types who will keep such crams (crap-scams) alive. That's why they call it social engineering. And people are getting more desparate every day right now.
Phishing uses a similarly spelled name
a perfectly legitimate SSL certificate with a SHA-256
or better hash. Phishing also uses fake HTML code
that shows a legitimate domain which actually takes
you to a different website. Then the support for new
character codes in domain names that have very similar
looking characters could be a future vulnerability.
The problem is that a significant percentage of
computer users don't know any better and they're susceptible to these social engineering scams without
any of these fancy cryptographic breaks or computer
vulnerabilities.
They were not talking to the vendors first....
they did not contact the vendors first.
http://trustico.com/news/press/md5dec08/index.php
Wouldn't it make more sense to advise the vendors of the
problem first? Looks like the vendors acted quickly once
informed (via the media).
Ian D
RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions
Sitekey is worthless...
RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions
RE: SSL broken! Hackers create rogue CA certificate using MD5 collisions
Test if your certificate has been signed signed with a insecure algorithm
certificate in the chain has been signed with a
insecure algorithm
Example:
http://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com
You can check all sites on:
http://www.networking4all.com/en/support/tools/site+check/
Thanks for the links. :) (nt)
YES!....TYVM!
SSL not broken... just Cert trust is broken
-Chuck
I was just looking at stuff myself
1f82a5fd55b8a75e47d36d55c72aac77 nt
Not that smart then, eh? nt