Black Hat: Researchers Shine Light On SSL Flaws

Security researcher Dan Kaminsky on Thursday offered details of what he claims are serious flaws in the Secure Sockets Layer encryption protocol.

At the Black Hat security confab in Las Vegas, Kaminsky, director of penetration testing for IOActive, said that X.509 digital certificates, which are used in SSL encryption and authentication, use the outdated and weak MD2 cryptographic hash function. This could create opportunities for enterprising miscreants, he said.

VeriSign previously used MD2 for signing its digital certificates, but the company says it stopped the practice last year. Still, while businesses have invested millions of dollars in X.509, it suffers both from technical and structural issues, according to Kaminsky.

One security solution provider wasn't surprised by Kaminsky's disclosure. "The issue of X.509 being less than perfect has been known for a while, and the MD2 hash algorithm has been known to be unsecure since 2004," said Jens Laundrup, principal consultant for Emagined Security, San Carlos, Calif.

"In my opinion, the real story is that the certificate authority, in this case VeriSign, reacted very slowly to this, and that should be unacceptable to businesses," added Laundrup.

It's the second straight year Kaminsky has warned of a significant vulnerability in the Internet infrastructure. Last year, Kaminsky stole the show at Black Hat with a presentation on a DNS vulnerability that opened the door to so-called cache poisoning attacks which he said could take down IPSec VPNs, SSL certification, automatic software update systems, spam filters and VoIP.

In another Black Hat presentation this year, security researcher Moxie Marlinspike showed how an attacker could spoof SSL certificates by including a "null" string character within the certificate field, thus tricking the Web browser into accepting code and paving the way for a wide range of unsavory activity.

Tweet

   

More Applications & OS