Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:55 PM
Connect Directly

SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

In response, VeriSign moved its planned transition from MD5 to the more secure SHA-1 algorithm for its RapidSSL products up a month, from the end of January to last week. Tim Callan, vice president of product marketing with VeriSign, says the company is still in the process of phasing out MD5 in some three or four other types of digital certificates, including a few used in Japan, but these are not vulnerable to the attack exposed in Berlin.

"The MD5 hashing algorithm is still in use on a small subset of products we offer, and that is in the process of being phased out," Callan says.

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.

"What is an issue is the possibility that somebody has already done such an attack in the past. If they want to fully mitigate this risk, VeriSign needs to replace all previously issued certificates with new ones and then remove the old RapidSSL root certificate from the list of CAs trusted by the browsers."

VeriSign's Callan also says it's unlikely anyone could have executed such an attack, and that the researchers behind the hack are a top-notch team that had the expertise and resources to do so. Although signing RapidSSL's certs with SHA-1 now guards users from the attack, VeriSign cryptographers, meanwhile, are also researching whether there's a marker that could help detect any "living" certificates that could have been out there long before last week's publicized hack. "We are looking into it and seeing if there's a marker to determine if these [malicious] certificates are existing. I don't know if we will find [the marker]," Callan says.

The team of U.S. and European researchers was able to execute nearly undetectable phishing attacks by cracking the MD5 encryption algorithm with a cluster of more than 200 PlayStation 3s that exploited MD5's "collision" weakness. That cleared the way for their creation of a forged CA and X.509 digital certificates.

RapidSSL's certificates were especially vulnerable because they use an automatic system that provides predicable serial numbers. Callan says VeriSign plans to get rid of the predictable serial-number approach altogether in RapidSSL certificates.

VeriSign says the worst of the threat is over now that RapidSSL is SHA-1. But there's still more work to do. "Clean-up needs to take place, and we're prioritizing that. We're in the process of getting rid of MD5 [altogether]," Callan says.

But so far, browser vendors haven't yet removed RapidSSL from their lists of trusted CAs, notes Sotirov. "The browsers don't want to do this because it will break many innocent Websites on the Internet. But without the threat of being removed from the browsers and losing business, the commercial CA companies won't have any financial incentive to make security a higher priority," he says. "My prediction is that unless the browser vendors take a more proactive stance against misbehaving CAs, we'll see many other cases of CAs' putting Internet users at risk in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...