VeriSign replaces RapidSSL certificates

by Steve Ragan - Dec 31 2008, 17:06

Just before the New Year holiday, VeriSign has made good on its promise to a team of CCC researchers who exposed security problems on the MD5 hash used to sign new certificates purchased from RapidSSL. VeriSign has removed MD5 and switched to SHA-1 on all new certificates issued by RapidSSL.

VeriSign replaced MD5 on RapidSSL certificates. (IMG: S.Ragan - RSA)

Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger all took part in the research and development of the MD5 attack.Their research identified vulnerabilities in the Internet PKI used to issue digital certificates for secure Web sites. They took advantage of a weakness in the MD5 hash function that allows the construction of different messages with the same MD5 hash.Known as MD5 collision, the attack vector and methods have existed for some time. They were originally discovered in 2004, while more research was added to the original work in 2007. Yesterday, when The Tech Herald covered the CCC talk, we explained that this was a new attack on an existing issue.“This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites,” the researchers explained in their published work.“The infrastructure of Certification Authorities is meant to prevent exactly this type of attack,” they added. “Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.”Indeed, six CAs are listed as vulnerable to the MD5 issue. However, RapidSSL was singled out because of the sheer volume of SSL certificates issued using MD5. Out of a sample 30,000 Web site certificates, Sotirov and Appelbaum discovered that 9,000 of them were signed with MD5. Of those 9,000 sites, 97 percent were RapidSSL certificates.Using 200 PlayStation 3 videogame systems for raw computing power, the researchers took four days to create a rogue CA certificate. The cost of the four attempts was $657.00 USD. The attack ultimately allowed the researchers to make themselves an Intermediate Certificate Authority.The advancements to the 2004 and 2007 MD5 research made this the, “Perfect Man-In-The-Middle attack,” the researchers said.At the end of the CCC address, Appelbaum suggested that one way to prevent this from happening is to switch from MD5 and use the more secure hash SHA-1. A suggestion that VeriSign took to heart, as the company began doubling its efforts to phase out MD5 within a few hours of the talk's conclusion.VeriSign said it has been phasing out the MD5 hashing algorithm for years. Until the MD5 exploit was made public, VeriSign said it planned to discontinue the use of MD5 in customers' certificates by the end of January 2009. “We applaud this team’s research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community,” said Chris Babel, Senior Vice-President and General Manager at VeriSign. “We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online.” An interesting side note to the disclosure is that at least two vendors signed Non-Disclosure Agreements (NDAs) before they were made aware of the issue. Both Microsoft and Mozilla signed NDAs but there is no word on if VeriSign signed one as well when it was informed of the RapidSSL issues.VeriSign reports that it has discontinued using MD5 when issuing RapidSSL Certificates and confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack. VeriSign will continue on its path to discontinue MD5 in all end entity certificates by the end of January 2009.Though existing end entity certificates are not at risk from this particular attack, RapidSSL customers who have certificates in place using the MD5 hashing algorithm may choose to replace their certificates with RapidSSL SHA-1 certificates at no extra charge.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

NoNameDec 31st, 2008 - 20:09:29

I checked the signature algorithm of some in some of my certificates and found that Equifax seems to be using MD5... can someone else verify?

Report this comment

EideardJan 1st, 2009 - 04:18:05

What a crock. Tempest in a teapot would be too dynamic for this farce.

Verisign has been making the changeover for a while, now. Banking IT folks I talk to say they stopped used people like RapidSSL exactly because they continued with MD5.

Verisign said weeks ago, they'd have the transition completed by January 2009.

Uh, that's tomorrow.

Report this comment

TipJan 3rd, 2009 - 07:52:09

The attack seems to be mitigated...unless it has already been exploited before (by organized crime or whoever)! In this case, there may already well exist a certificate seemingly signed by RapidSSL and having the rights to certify other certificates. As RapidSSL only signs end server certificates, this means that, in order to (almost - there may also be some rogue end server certificates) fully thwart the attack, it is necessary to modify SSL implementations to refuse certificates with CA rights, signed with RapidSSL.
This phase-in phase-out stuff is just Verisign making fun of us... It was at least possible to reserve the use of MD5 for renewal and not new customers! And how come then did Verisign perform the transition in one day, while the phase-out took them already more than one year (since the theoretical vulnerability was known)???

Report this comment

page: 1

Add your comment (no registration required)

Security

VeriSign replaces RapidSSL certificates

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print