Wednesday, December 31st, 2008

MD5 hash collision gets people worried about PKI

Category: Security

The paper on MD5 considered harmful today delivered at the 25th Annual Chaos Communication Congress in Berlin has got people scared again.

The team showed an MD5 collision which is well explained by Simon Willison (he is so good at getting to the meat, a tough skill indeed):

Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made certificate to create a fake certificate for Amazon that will be accepted by any browser.

Mozilla Security folks issued an advisory which included the impact to users:

If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.


This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.

Microsoft also advised.

Then we get SSL in perspectives which talks us through 2008:

  1. Dan Kaminski shook world’s faith in DNS. BTW, you already checked your DNS hardness or switched to OpenDNS, didn’t you? Anyway, DNS security or not, you cannot trust non-SSL traffic when you’re traveling, or you’re behind a proxy you can’t control (TOR, for instance), or otherwise not using a trusted ISP… wait, do you really trust your ISP? OK, you should not trust non-SSL traffic, period.
  2. But then, Mike Perry demonstrated how cookies can be stolen from SSL-secured sites (and NoScript deployed some countermeasures).
  3. Unfortunately, a shameful incident revealed that you can easily buy a valid SSL certificate for a web site you’re not related with, if you find an unscrupulous enough vendor: in this case, a certificate has been obtained by Eddy Nigg of StartCom Ltd. from the Certstar Comodo reseller, no question asked. Of course, as a work-around, you could remove the offending CA root, but you must expect side effects (I discovered this breaks cleverbridge e-commerce back-ends, for instance). And, most important, are you sure this is the only sloppy CA out there?
  4. As if this didn’t suck enough, a speech has been given today at 253c by Alex Sotirov, Arjen Lenstra and other high-profile researchers, who managed to leverage known MD5 weaknesses and not-safe-enough practices of some certificate issuers to build their own rogue CA.

It then talks about Perspectives the Firefox plug-in that compares cert hashes with a database of known fingerprints to detect false certs.

Phew. Two Web security pieces almost in a row :/

Posted by Dion Almaer at 12:03 am

3.4 rating from 8 votes


Comments feed TrackBack URI

Maybe this is why Pownce never supported SSL, it’s all broken anyways!

Comment by ilazarte — December 31, 2008

The article also makes the important point that SHA-1 (while not YET proven to be broken) should be similarly distrusted and phased out, in favor of SHA-2 (or something equivalent or better).
Everyone should check out their own certificates’ encryption algorithm (easily explained how near the end of that article) and make sure you are comfortable with the level of protection it provides based on the premise of the paper (ie, not MD5, and preferably not even SHA-1).
GoDaddy is who I use, and my two certificates are both SHA-1. I’ve sent them a request asking them to consider upgrading to SHA-2 and re-issuing my certificates.
I hope others will pay similar attention and make requests to their providers as they feel necessary. This is quite necessary (especially for those of MD5).

Comment by shadedecho — December 31, 2008

Leave a comment

You must be logged in to post a comment.