Researchers' Web Certificate Hack Highlights Big Internet Flaw
During the 25th annual Chaos Communication Congress held in Berlin, cryptographers from the U.S., Netherlands and Switzerland demonstrated a way to impersonate the digital credentials of RapidSSL, a company used by browsers to correctly distinguish legitimate Web sites from spam sites or sites containing malicious code. The demonstration was executed on approximately 200 PlayStation 3 gaming consoles.
Consequently, the forged credentials would enable hackers to easily impersonate almost any Web site that relied on MD5 as a means of SSL certification, including numerous banking and retail sites.
Many Web browsers rely on companies like RapidSSL to function as "certificate authorities," also known as CAs, by issuing unique digital security credentials designed to specifically identify and authenticate legitimate Web sites. E-commerce and banking sites routinely use these certificates, which encrypt sensitive data when in transit in order to foil potential hackers from attempting to intercept and hijack the transaction. Users relying on this technology are ensured of secure online communication with the telltale padlock symbol at the bottom of their computer screens.
However, a security hole is opened by a weakness in the cryptographic function known as MD5, which is still used by RapidSSL, and a few other companies, as a way to sign their digital certificates.
Most recently, security researchers discovered that those same MD5 weaknesses allow for the creation of SSL certificates from legitimate CAs, which is still accepted by all Web browsers. As a result, hackers can exploit the MD5 weakness by taking control of large networks, such as those of online banking sites, for financial gain.
Attackers could potentially hijack a legitimate site then redirect requests to a forged site, unbeknownst to the user. Users would then submit passwords, credit card numbers and other sensitive information, thinking that their transactions were secure because the SSL padlock symbol, indicating that the site was authorized by a CA, would still be present on their Web browser.
Experts say that the problem is far from being a new one. In 2004, researchers detected weaknesses in the MD5 signature algorithm that could lead hackers to replicate the same digital fingerprint for two different messages. And the security problems still occur for the CAs that still rely on the outdated to authenticate SSL certificates.
"We've known for years that the MD5 is a bad algorithm and needs to be replaced," said Paul Kocher, president and chief scientist of Cryptography Research, a data security research firm based in San Francisco. "Some CA's screwup could enable adversaries to impersonate your site. It's not something where the carelessness of one CA affects only their customers; it affects everybody."
As far as exploits go, Kocher said, the MD5 flaw isn't particularly serious, due to the fact customers can take measures to avoid using MD5 certification. "Over time, eventually Web browsers can stop accepting MD5 certificates altogether. There are a number of things that can be done to ensure this isn't a problem on a going forward basis."
"If you're running any popular Web browser, it's riddled with bugs anyway that are more hackable," he added.
But because all browsers still accept MD5 hashes, researchers say that browser makers should also take action to protect their users from being exploited by disabling the MD5 signature functions or by using more sophisticated cryptographic measures, such as the more secure SHA-1 signing algorithm.
So far, there are no known attacks exploiting this flaw. Cryptographers contend that they don't necessarily expect an onslaught of attacks exploiting this vulnerability. And researchers say that engineering feats required to execute an MD5 attack would be time-consuming and complicated for most hackers.
Microsoft also said on its security Web site that the chances of widespread attacks were diminished due to the fact that the details of the hack were not made publicly available. However, Kocher said that he wouldn't "put a lot of stock" into the lack of publicly available exploit code as a viable means of preventing attacks.
"This is really in the realm of interesting academic research. It's a significant issue highlighting that some CAs are not all doing their job well," Kocher said. "It's completely fixable. It's really an issue of there being one or more CA completely behind the times."