Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/5/2009
02:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

In response, VeriSign moved its planned transition from MD5 to the more secure SHA-1 algorithm for its RapidSSL products up a month, from the end of January to last week. Tim Callan, vice president of product marketing with VeriSign, says the company is still in the process of phasing out MD5 in some three or four other types of digital certificates, including a few used in Japan, but these are not vulnerable to the attack exposed in Berlin.

"The MD5 hashing algorithm is still in use on a small subset of products we offer, and that is in the process of being phased out," Callan says.

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.

"What is an issue is the possibility that somebody has already done such an attack in the past. If they want to fully mitigate this risk, VeriSign needs to replace all previously issued certificates with new ones and then remove the old RapidSSL root certificate from the list of CAs trusted by the browsers."

VeriSign's Callan also says it's unlikely anyone could have executed such an attack, and that the researchers behind the hack are a top-notch team that had the expertise and resources to do so. Although signing RapidSSL's certs with SHA-1 now guards users from the attack, VeriSign cryptographers, meanwhile, are also researching whether there's a marker that could help detect any "living" certificates that could have been out there long before last week's publicized hack. "We are looking into it and seeing if there's a marker to determine if these [malicious] certificates are existing. I don't know if we will find [the marker]," Callan says.

The team of U.S. and European researchers was able to execute nearly undetectable phishing attacks by cracking the MD5 encryption algorithm with a cluster of more than 200 PlayStation 3s that exploited MD5's "collision" weakness. That cleared the way for their creation of a forged CA and X.509 digital certificates.

RapidSSL's certificates were especially vulnerable because they use an automatic system that provides predicable serial numbers. Callan says VeriSign plans to get rid of the predictable serial-number approach altogether in RapidSSL certificates.

VeriSign says the worst of the threat is over now that RapidSSL is SHA-1. But there's still more work to do. "Clean-up needs to take place, and we're prioritizing that. We're in the process of getting rid of MD5 [altogether]," Callan says.

But so far, browser vendors haven't yet removed RapidSSL from their lists of trusted CAs, notes Sotirov. "The browsers don't want to do this because it will break many innocent Websites on the Internet. But without the threat of being removed from the browsers and losing business, the commercial CA companies won't have any financial incentive to make security a higher priority," he says. "My prediction is that unless the browser vendors take a more proactive stance against misbehaving CAs, we'll see many other cases of CAs' putting Internet users at risk in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21554
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit t...
CVE-2021-21555
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, a...
CVE-2021-21556
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, ...
CVE-2021-21557
PUBLISHED: 2021-06-14
Dell PowerEdge Server BIOS and select Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Ma...
CVE-2021-32682
PUBLISHED: 2021-06-14
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration...