The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.
The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers -- including Microsoft's Internet Explorer and Mozilla's Firefox -- whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).
"We basically broke SSL," Sotirov said in an interview ahead of his 25C3 presentation.
Our main result is that we are in possession of a "rogue" Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the "root CA certificates" present in the so called "trust list" of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as "secure", using common security indicators such as a closed padlock in the browser's window frame, the web address starting with "https://" instead of "http://", and displaying reassuring phrases such as "This certificate is OK " when the user clicks on security related menu items, buttons or links.
Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.
According to Sotirov, a rogue CA in combination with Dan Kaminsky's DNS attack can have serious consequences:
For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users' passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.
Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues -- some practical and some political -- there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.
To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key. "We're also not going to release the special code that we used to do the MD5 collisions until later this year," Sotirov added.
"We don't anticipate this attack to be repeatable very easily. If you do a naive implementation, you would need six months to run it successfully," he added.
Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.
The key takeaway, according to Lenstra: "It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard."