SSL Crisis Averted -- For NowSSL Crisis Averted -- For Now
VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks
January 5, 2009
It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.
While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.
The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.
In response, VeriSign moved its planned transition from MD5 to the more secure SHA-1 algorithm for its RapidSSL products up a month, from the end of January to last week. Tim Callan, vice president of product marketing with VeriSign, says the company is still in the process of phasing out MD5 in some three or four other types of digital certificates, including a few used in Japan, but these are not vulnerable to the attack exposed in Berlin.
"The MD5 hashing algorithm is still in use on a small subset of products we offer, and that is in the process of being phased out," Callan says.
End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.
"What is an issue is the possibility that somebody has already done such an attack in the past. If they want to fully mitigate this risk, VeriSign needs to replace all previously issued certificates with new ones and then remove the old RapidSSL root certificate from the list of CAs trusted by the browsers."
VeriSign's Callan also says it's unlikely anyone could have executed such an attack, and that the researchers behind the hack are a top-notch team that had the expertise and resources to do so. Although signing RapidSSL's certs with SHA-1 now guards users from the attack, VeriSign cryptographers, meanwhile, are also researching whether there's a marker that could help detect any "living" certificates that could have been out there long before last week's publicized hack. "We are looking into it and seeing if there's a marker to determine if these [malicious] certificates are existing. I don't know if we will find [the marker]," Callan says.
The team of U.S. and European researchers was able to execute nearly undetectable phishing attacks by cracking the MD5 encryption algorithm with a cluster of more than 200 PlayStation 3s that exploited MD5's "collision" weakness. That cleared the way for their creation of a forged CA and X.509 digital certificates.
RapidSSL's certificates were especially vulnerable because they use an automatic system that provides predicable serial numbers. Callan says VeriSign plans to get rid of the predictable serial-number approach altogether in RapidSSL certificates.
VeriSign says the worst of the threat is over now that RapidSSL is SHA-1. But there's still more work to do. "Clean-up needs to take place, and we're prioritizing that. We're in the process of getting rid of MD5 [altogether]," Callan says.
But so far, browser vendors haven't yet removed RapidSSL from their lists of trusted CAs, notes Sotirov. "The browsers don't want to do this because it will break many innocent Websites on the Internet. But without the threat of being removed from the browsers and losing business, the commercial CA companies won't have any financial incentive to make security a higher priority," he says. "My prediction is that unless the browser vendors take a more proactive stance against misbehaving CAs, we'll see many other cases of CAs' putting Internet users at risk in the future."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023