At the 25th Chaos Communication Congress (CCC) today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.
When you make a secured connection to a website via HTTPS, a public key certificate is sent from the server to your computer. This certificate contains a digital signature which your computer uses to verify the identify of the site to which you’re connecting. Certificates are “signed” by a Certificate Authority (CA), which acts as a kind of middle-man: you trust the CA, so you can trust the certificates signed by the CA. Anyone can create a certificate authority, though, so most browsers have a list of known reputable and trustworthy CAs. When your computer gets a certificate from a server, your browser checks the CA that issued it to determine whether the CA is trustworthy. If the CA is trustworthy, your browser assumes that the certificate being presented is trustworthy.
The public key cryptography utilized by Certificate Authorities is evolving, as are most things in the technology world. Some CAs used the MD5 algorithm to compute the digital signatures for certificates. MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.
Researchers attacked the MD5 algorithm using 200 PlayStation 3 systems and were able to construct a bogus Certificate Authority that looks like a known trusted CA. What this means is that these guys could generate a certificate for www.amazon.com which, when presented to your browser, would be accepted as the real thing. The digital signature on the fake certificate is listed as coming from a supposedly reputable CA, so your browser happily accepts it, reassuringly showing you the little padlock icon.
Okay, so how does this affect you? If the researchers’ results can be duplicated by a malicious agent, they could generate any number of certificates that would be trusted by browsers all around the world. This alone might be sufficient, though this attack could be coupled with a sophisticated DNS attack to make it really really really hard for anyone to realize that they’d been suckered. Your browser would report that you’re at yourbank.com; your browser would report that you were using HTTPS to protect the connection; and your browser would report that the SSL certificate being used for that HTTPS connection really did belong to yourbank.com. Granted, the level of effort required to perform such an attack is currently enormous, and the potential gains are probably limited, so it’s likely not the kind of thing that would be pulled on average Internet users. But it’s still something about which to be concerned.
The attack outline states “[w]ith optimizations the attack might be done for $2000 on Amazon EC2 in 1 day.” Thankfully, the researchers are not releasing their specific implementation. That’s somewhat reassuring, but expect conniving folks somewhere to try to recreate the researchers’ results for less academic purposes.
The PDF concludes with this: “No need to panic, the Internet is not completely broken” and assures us that the “affected CAs are switching to SHA-1″. SHA-1 is believed to be weak against certain attacks, though, so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3.
Bottom line: as always, be cognizant of your browsing habits. If something looks or feels fishy, don’t provide any account names or passwords. Use different passwords for different websites, so that if you do get suckered by a phishing attack the phishers don’t get the keys to your online kingdom.
Link: 25C3: MD5 considered harmful today
Via: ZDnet
One problem: I have one password for every account I have, and that is a big problem!
it’s not problem. You will think you are entering login/password to your bank, while this is not your bank – rather malicious clone signed with rogue certificate.
This is targeted attack, of course, since hackers must create clone of bank web site. But covering 10-20 popular banks, will cover majority of users.
So, what is the password?
(Please end the suspense.)
passw0rd ?
I am killed by the number of people I help out with their computers whose password is “passw0rd”… probably a crazy high percentage of the non-techies using computers…
I want to know password ,too.
A problem that you could resolve. Should change them at least once per month.
You are talking crazy. I have been using the same password for all my internet stuff since 97.
What’s the passworld?
wow they used the PS3 for this?
should’ve been in the title
PS3s run IBM’s CELL Processor, there’s a Linux distribution for it, and ganging them together is a very cost effective (like ~US$400/node) way to make a parallel cluster…
The picture is from the 1992 Sneakers film. Good movie.
I came by to say props on the image too. Nice pull.
I thought it was a picture from the conference! LOL
Great movie. Just too bad the researchers used all 200 PS3s when a simple answering machine could have sufficed (movie ref)
one of my favorite movies of all time!
Does anyone have a list of the CAs still using MD5?
According to this:
http://www.win.tue.nl/hashclash/rogue-ca/#sec5
the vulnerable CAs are:
* RapidSSL
* FreeSSL (free trial certificates offered by RapidSSL)
* TC TrustCenter AG
* RSA Data Security
* Thawte
* verisign.co.jp
Thawte!?!? that’s really surprising.
Yeah! Can’t believe it! I thought thawte was great and I am planning to use their certs!
RapidSSL
FreeSSL
TrustCenter
RSA Data Security
Thawte
verisign.co.jp
full slides at http://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf
I must say, that definitely was one of the most inspiring talks of 25C3.
what really is surprising is they have not got a response out !
its only some certificates and they know exactly who they signed….
really I would say they should do something otherwise these certificates are going to be cut out of browsers and so their customers will get rather upset…
regards
John Jones
http://www.johnjones.me.uk
Quality of writing is deteriorating. Can you please tell me why this matters, what I can/should do about it, before jumping into a poorly written technical explanation?
I know it’s the holidays but surely there’s an editor around…
Summary: any certificate you receive from a server that has an md5-hashed certificate anywhere in its chain (with the exception of the trusted root certs) could be fake *right now*.
It’s not easy to tell if a certificate is untrustworthy either. You need to scan every cert in the chain.
Browsers need to start warning if MD5 appears in the trust chain *right now*.
Wrong.
In order for this attack to succeed, two things must be true:
1) Your DNS lookup returns a rogue server’s IP instead of the intended destination (difficult, but plausible thanks to Dan Kaminsky’s DNS attack found a few months ago)
2) The rogue server must have a forged cert, signed with the MD5 of a “real” CA, obtainable only through brute forcing the CA’s signature.
If both are not true, you’re safe.
Your 1) condition is too restrictive. Here are some alternatives for 1:
1a) You connect to some random WiFi access point that redirects packets.
1b) Your home router is hacked.
1c) Your traffic is proxied through some other compromised router (maybe an IT guy in the office)
1d) A party redirects a large block of the internet via some BGP announcement (I don’t know much about this, but Youtube was redirected a while ago).
As for 2), the forget certs could be generated as needed by a simple MITM server. The attacker effectively has a full CA that they can use to generate any unrevokable certificate they want, for any server they want. All the certificates will appear valid to the end-user.
Considering that SSL MITM attacks have been seen in the wild and that a successful attack is very valuable, I’d say that this very plausible (at least enough of a risk to disable MD5 intermediate CA’s!):
https://bugzilla.mozilla.org/show_bug.cgi?id=460374
Just roll over and go back to sleep.
Shut it toby.
>> Quality of writing is deteriorating.
I disagree. The technical readers appreciate this article. It’s a breath a fresh of air to read an article on computer security as opposed to a lot of fluff articles in TechCrunch.
Amen — I am grateful to learn more of the technical side of things, and if you don’t like an article or if it is over your head, you can exercise your right to use the “close tab” function.
Did the CAs include weaselly terms in their agreements that render them immune to selling us a defective product ?
Btw: “SHA-3″ has yet to be chosen and tested (http://csrc.nist.gov/groups/ST/hash/sha-3/index.html); there is simply no such thing.
Granted, the level of effort required to perform such an attack is currently enormous, and the potential gains are probably limited, so it’s likely not the kind of thing that would be pulled on average Internet users. But it’s still something about which to be concerned.
— Wanna bet?
I disagree, and here’s why:
A motivated attacker with some cash buys up a cluster of PS3s (or just rents EC2 boxes for a while). Probably cash spent by the attacker: < $50k.
They generate a fake Certificate Authority within a few weeks.
They issue a certificate for http://richpersonbank.com (or paypal.com, etrade.com, etc) that appears valid to ALL browsers today from their own CA. The certificate they issue will even have the Extended Validation markers in the UI!
They set up an open Wifi access point, sniff Tor output routes and poison DNS servers to try and get bank traffic to go to their compromised servers.
Users enter their credentials, bad guys empty their accounts.
This is a profitable enterprise and you’ll trick even seasoned netizens.
I don’t think sniffing online banking would matter much, online banking websites I’ve seen don’t even display account numbers. Am I wrong?
I think an email account is where much of the risk is, because these days we use email to verify identity.
> tell me why this matters
A malicious person could ultimately issue digital certificates for arbitrary web sites and your current browser will not be able to determine that the certificate is a rogue certificate (think https://secure.yourbank.com/).
In combination with another type of attack (such as a DNS attack or man-in-the-middle attack), all trust breaks down. Except that the browser will not know this.
> what I can/should do about it
A technical user can examine the certificate and all certificates up the chain to the root CA to ensure usage of SHA-1 and/or look for odd stuff, but this must be done each time you visit a secure site (except for those with extended validation certs, which are not affected).
A non-technical user is pretty much out-of-luck.
If you are a CA or browser/OS vendor, that is where the remediation work needs to be done.
Are you sure EV certs are unaffected? If a rogue creates their own CA, they can issue their own EV certs as needed.
Good question. But, yes I’m sure that EV certs are not affected. EV certs cannot use MD5 in any certs in the chain.
I suppose it is possible that a bad implementation of cert validation might screw this up, but I’m not aware of any.
EV uses SHA-1 in the chain, so it’s safe, until someone finds a collision in the significantly larger SHA-1 space.
More than anything, I see rooms full of Chinese hackers working for the Chinese Government cranking away at this as we type, same goes for Russia and North Korea. this is simply a matter of international security.
$50k is not hard to come up with if a team did it. Crazy.
Interesting I would have never thought any vulnerability could have been accessed through MD5, now I will be looking in other forms for more sensitive data. However I will still use MD5 for passwords.
MD5 has been susceptible to exploits for some time, using these same collisions. See http://seclists.org/bugtraq/2007/Apr/0018.html for a similar attack on MD5. This attack concerned faking a POP3 server. This attack could be easily detected just by forcing RFC standards but as written in that post from April 2007 – “However, it is theoretically possible to use his idea with RFC-compliant message-id if one does a precomputation of 2^64 MD5, using the birthday paradox (it has to be done only once to break as many password as wanted). This is very expensive, but not completely unrealistic… “. I don’t know if it’s using the same collision attack, but consider it realized. The real shame is that some root CA’s are still using MD5, when it is known that it was vulnerable to collision attacks.
The PDF concludes with this: “No need to panic, the Internet is not completely broken” and assures us that the “affected CAs are switching to SHA-1″. SHA-1 is believed to be weak against certain attacks, though, so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3.
SHA-3? There is no such thing (yet). Please do your homework before spouting nonsense!
MD5 has been flagged as “completely broken” for almost a year now. This result is not surprising.
Who cares about the man-in-the-middle attacks? What someone should do is start generating free (or very cheap) SSL certs for web server operators to use that use the rogue CA certs for the root cert. Most of us are tired of paying $400 annually for a few kilobytes of data. Being able to self-sign certs with a known root CA without any browser doing a popup dialog is quite appealing.
GoDaddy offers SSL certs for $30. Depending on the application you’re looking to secure, this may be “good enough”. The GoDaddy CA isn’t listed as one still using MD5, so that’s one less thing to worry about. :)
For free certs, check out the CACert project at http://www.cacert.org/
It’s a community-run web of trust that requires you to meet other people to get “assurance points” which you can then use to generate different kinds of certificates.
There’s been some long-running controversy as to whether this CA will ever be trusted by Firefox out-of-the-box. I haven’t been paying close attention to this issue, so maybe it’s been resolved definitively one way or the other by now. If not, perhaps a sufficiently large body of vocal advocates can help get the CACert CA trusted by Firefox.
$30 annually is still too much. My problem isn’t so much the initial cost but the renewal fees. Come on – have you ever looked at how a CA operates? While the setup might involve a human, the renewal process is _completely automated_. You pay the bill and download an updated cert. That is my real problem. I could care less how much the setup fee is, but the annual fee being at the same price of the setup fee is unacceptable.
CA Cert is nowhere near getting full browser inclusion. If they don’t even have Firefox inclusion, then they likely never will get IE inclusion. However, http://cert.startcom.org/ is much closer. They only need Internet Explorer (Windows) root certificate integration to have all the major browsers covered. The downside is Microsoft isn’t likely to let them have it.
This vulnerability is removed. VeriSign closed this hole this morning. More information here: https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
That is the lamest thing I’ve read in a LONG time. There’s big money to be had in getting your hands on a legitimate root cert for spoofing. A LOT of criminals and governments, for instance, would be quite interested. These researchers were probably more afraid of getting kidnapped and murdered than legal action (afraid of that too).
Come on guys, the truth is that this is just a ps3 marketing campaign :)
LOL, how many numbnuts on the internet even know what the padlock means. Go on, ask someone who isnt a geek. When you can still phone up someone and ask for their banking details over the phone as a “security” check then life is easy for pfhisers.
People still use md5? Thought sha(1) was the new standard.
There was an episode on security and encryption on CrankyGeeks with some of the who is who on that subject…
I guess that’s worst revisiting once more (They reran it when zd flooded)
*that’s worth revisiting… Sorry, 2:56 AM!
Too many secrets
this is qution is so perfact
u have kowen about SSL Hackers
Ut oh, thats pretty scary!
Jess
http://www.internet-anonymity.net.tc
This is really interesting stuff. I suggest sha-3
Whoa, Sneakers! Love that movie. Now all I can think of is solving encryption keys using scrabble and blind guys driving vans.
If you havn’t watched Sneakers, you should. It’s one of the best hacker movies ever made (up there with War Games)
What is “EV” referenced above?
Also, what exactly can be done to make sure I’m not using one of the MD5 CAs?
EV stand for Extended Validation SSL.
According to the CA Browser Forum,
“Extended Validation SSL (EV SSL) Certificates build on the existing SSL certificate format, but provide an additional layer of protection in a strictly defined issuance process created to ensure that the certificate holder is who they claim to be.”
Read all about EV here:
http://www.cabforum.org/
And American Express’s online account management system is using an MD5 certificate. Way to go.
I would think most people know what the green address bar is all about even if they don’t know about the padlock. IMO the green address bar is just plain awesome.
agreed
Quality of writing is deteriorating. Can you please tell me why this matters, what I can/should do about it, before jumping into a poorly written technical explanation?
And American Express’s online account management system is using an MD5 certificate. Way to go
I’d pay around $50 for such a service. At least it’d be easy and I would feel more safe.