, SecurityFocus 2008-12-30
Story continued from Page 1
Yet, despite the discovery of major weaknesses in the MD5 hash algorithm, six certificate authorities continued to issue MD5-signed certificates in 2008.
The research group analyzed a sampling of 30,000 certificates from sites online and found that 30 percent were signed using MD5. Nearly all, 97 percent, came from a single certificate authority: RapidSSL.
Part of the problem is that every mom-and-pop e-commerce site needs an SSL certificate to create a trusted store front, but most merchants do not want to pay hundreds of dollars per year for a few bits, so cheaper and less trustworthy providers have appeared, said HD Moore, director of BreakingPoint Labs.
"If you have that many people that need it for e-commerce, the further down the chain you go the less strict the validation is going to be because you are cutting costs," he said.
The group of researchers took advantage of RapidSSL's fast issuance of certificates. Their attack consisted of creating two certificates and ensuring that the certificates had the same MD5 hash what is known as a collision. The two certificates consisted of a Web site certificate for a legitimate site and an intermediate certificate authority (CA) certificate that normally identifies a trusted issuer of certificates. Because RapidSSL has an automated script that issues MD5-signed certificates and assigns a sequential serial number and guessable expiration date to the certificates, the researchers were able to fill in the fields of the certificate with the appropriate information and use a distributed computer made up of 200 PlayStation 3 game machines equivalent to 8,000 standard desktop computers to calculate the data needed to make the two certificates have identical MD5 hashes. Each attempted attack took less than two days.
Because of problems with timing and other certificate requests taking the serial number they had reserved, the team was not successful until its fourth try. Armed with the new certificate, the researchers could have issued any number of additional certificates using the authority of their newly minted rogue CA.
There is no easy way to revoke the MD5-signed certificates, security experts said. Removing the six certificate authorities from the trusted CA list included in the major browsers would cause chaos among the companies' customers, as browsers would not longer register legitimate sites as trusted.
The problem underscores that the infrastructure underpinning Secure Sockets Layer (SSL) is in need of a rewrite, said Dino Dai Zovi, a well-known security researcher and security manager at a financial firm whose name he asked not be used.
"We need the browser trust model 2.0," Dai Zovi said. "Right now there is an inner circle of CAs, and then other authorities that are less well known and trusted, but to a browser all certificate authorities are trusted equally."
The researchers urged browser makers and certificate authorities to move away from support for certificates that use MD5 hashes and toward stronger standards as quickly as possible. The National Institute of Standards and Technology (NIST) has kicked off its search for a stronger hashing standard, currently dubbed Secure Hash Algorithm 3 (SHA-3). Some four dozen entries are currently under scrutiny.
"It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," EPFL's Lenstra said in the statement.
Neither Microsoft nor Mozilla has set a deadline by which certificate authorities would need to complete their move to SHA-1 or SHA-2 certificates and reissue new credentials to their customers.
"We've been in contact with vulnerable certificate authorities on this issue, and are confident that they are working with appropriate urgency to address the problem by eliminating their use of MD5 for certificate generation," Johnathan Nightingale, the so-called "Human Shield" for Mozilla, said in a statement sent to SecurityFocus. "We don't believe that a deadline or other 'threat' is either helpful or necessary at this point, and we're glad that MD5 will be eliminated from CA use in short order."
UPDATE: The article was updated Tuesday afternoon with additional comments from security experts and statements from both Mozilla and Microsoft.
If you have tips or insights on this topic, please contact SecurityFocus.