Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security
An international team of security researchers uncovers a way to forge digital certificates, potentially allowing hackers to launch virtually undetectable phishing attacks. The research underscores why certificate authorities and browser vendors must keep up with the latest anti-malware measures.When news hit that a team of security researchers and cryptographers had discovered a way to create a rogue certificate authority, the oft-repeated rule of Internet security-"Trust no one"-took on new significance. However, before panic strikes, the researchers pointed out there are a number of measures that can be taken by browser vendors and CAs (certificate authorities) to address the situation.
At the center of the problem is what is called an MD5 collision, a well-known vulnerability within the MD5 cryptographic hash function that makes it possible to construct different messages with the same MD5 hash. In this case, the researchers have found a way to use the situation to forge digital certificates. Armed with a cluster of more than 200 commercially available game consoles and an advanced implementation of the collision construction, the team of researchers was able to essentially create a rogue certification authority.