Breaking News: SSL Broken?

In what probably was only a matter of time, hackers in the US and Europe have apparently found a way to hack a known weakness in the (1) MD5 algorithm (using a known (2) MD5 collision construction found a while ago) using 200 PlayStation 3 (PS3) consoles and a few hundred dollars worth of test digital certificates.

There are about six (3) certificate authorities (CAs) using the weak MD5 crypto and all six are trusted root authorities in most of the world’s common web browsers (Internet Explorer, Firefox etc).  (4) Read this article for more information.

This revelation opens the door for potential phishing attacks where the URI used could conceivably mimic the certificate of a real trusted web site (e.g. a bank’s secure web site).  From the article (4):

“Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK ” when the user clicks on security related menu items, buttons or links.”

“For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.“

Thankfully (at least) there is potential for any certificate authorities (CA) using MD-5 to instead implement the stronger (5) SHA-2 encryption or the anticipated SHA-3 standard (coming soon).

[ (1) http://en.wikipedia.org/wiki/MD5 ]
[ (2) http://www.cryptography.com/cnews/hash.html ]
[ (3) http://en.wikipedia.org/wiki/Certificate_authority ]
[ (4) http://blogs.zdnet.com/security/?p=2339 ]
[ (5) http://en.wikipedia.org/wiki/SHA-2 ]

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.