Just before the New Year holiday, VeriSign has made good on its promise to a team of CCC researchers who exposed security problems on the MD5 hash used to sign new certificates purchased from RapidSSL. VeriSign has removed MD5 and switched to SHA-1 on all new certificates issued by RapidSSL.
VeriSign replaced MD5 on RapidSSL certificates. (IMG: S.Ragan - RSA)
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger all took part in the research and development of the MD5 attack.
Their research identified vulnerabilities in the Internet PKI used to issue digital certificates for secure Web sites. They took advantage of a weakness in the MD5 hash function that allows the construction of different messages with the same MD5 hash.
Known as MD5 collision, the attack vector and methods have existed for some time. They were originally discovered in 2004, while more research was added to the original work in 2007. Yesterday, when The Tech Herald covered the CCC talk, we explained that this was a new attack on an existing issue.
“This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites,” the researchers explained in their published work.
“The infrastructure of Certification Authorities is meant to prevent exactly this type of attack,” they added. “Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.”
Indeed, six CAs are listed as vulnerable to the MD5 issue. However, RapidSSL was singled out because of the sheer volume of SSL certificates issued using MD5.
Out of a sample 30,000 Web site certificates, Sotirov and Appelbaum discovered that 9,000 of them were signed with MD5. Of those 9,000 sites, 97 percent were RapidSSL certificates.
Using 200 PlayStation 3 videogame systems for raw computing power, the researchers took four days to create a rogue CA certificate. The cost of the four attempts was $657.00 USD. The attack ultimately allowed the researchers to make themselves an Intermediate Certificate Authority.
The advancements to the 2004 and 2007 MD5 research made this the, “Perfect Man-In-The-Middle attack,” the researchers said.
At the end of the CCC address, Appelbaum suggested that one way to prevent this from happening is to switch from MD5 and use the more secure hash SHA-1. A suggestion that VeriSign took to heart, as the company began doubling its efforts to phase out MD5 within a few hours of the talk's conclusion.
VeriSign said it has been phasing out the MD5 hashing algorithm for years. Until the MD5 exploit was made public, VeriSign said it planned to discontinue the use of MD5 in customers' certificates by the end of January 2009.
“We applaud this team’s research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community,” said Chris Babel, Senior Vice-President and General Manager at VeriSign. “We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online.”
An interesting side note to the disclosure is that at least two vendors signed Non-Disclosure Agreements (NDAs) before they were made aware of the issue. Both Microsoft and Mozilla signed NDAs but there is no word on if VeriSign signed one as well when it was informed of the RapidSSL issues.
VeriSign reports that it has discontinued using MD5 when issuing RapidSSL Certificates and confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack. VeriSign will continue on its path to discontinue MD5 in all end entity certificates by the end of January 2009.
Though existing end entity certificates are not at risk from this particular attack, RapidSSL customers who have certificates in place using the MD5 hashing algorithm may choose to replace their certificates with RapidSSL SHA-1 certificates at no extra charge.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story