A group of security researchers has demonstrated that it is possible to create a "rogue" SSL certificate allowing them to impersonate "any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol".
All current browsers would be fooled, the researchers claim.
Shown at the Chaos Computer Club's annual conference in Berlin, the dummy certificate has an expiry date backdated to 2004, so as to make it practically useless. Nonetheless, the researchers claim it is good enough to fool the best of 'em.
The basis of the crack lies in an apparent vulnerability in the MD5 signature algorithm, so the researchers are urging certification authorities (CAs) to switch to newer, more secure alternatives such as SHA-2. It seems that MD5 has long been shown to have a potential for exploitation, but the researchers are claiming their rogue certificate as the first definitive proof.
According to our sister publication, News.com, Verisign has already closed the hole, speeding up the purge of MD5 signing in its certificates. Internet Explorer-maker Microsoft has shrugged its shoulders, saying the researchers have "not published the cryptographic background to the attack" and claiming this makes their exploit unrepeatable.
The piece also quotes the ever-reliable Bruce Schneier:
"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," he said.
"This is good work, great cryptography. I love the research, but this doesn't matter a whit," Schneier added. "There are half a dozen ways to forge certificates and nobody checks them anyway."