IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security News

Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security


By: Brian Prince
2008-12-30
Article Rating:starstarstarstarstar / 9


There are  user comments on this IT Security & Network Security News & Reviews story.



  Table of Contents:
  1. Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security
  2. What to Do About the Attack

An international team of security researchers uncovers a way to forge digital certificates, potentially allowing hackers to launch virtually undetectable phishing attacks. The research underscores why certificate authorities and browser vendors must keep up with the latest anti-malware measures.

Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security
( Page 1 of 2 )

When news hit that a team of security researchers and cryptographers had discovered a way to create a rogue certificate authority, the oft-repeated rule of Internet security—"Trust no one"—took on new significance.

However, before panic strikes, the researchers pointed out there are a number of measures that can be taken by browser vendors and CAs (certificate authorities) to address the situation.

At the center of the problem is what is called an MD5 collision, a well-known vulnerability within the MD5 cryptographic hash function that makes it possible to construct different messages with the same MD5 hash. In this case, the researchers have found a way to use the situation to forge digital certificates. Armed with a cluster of more than 200 commercially available game consoles and an advanced implementation of the collision construction, the team of researchers was able to essentially create a rogue certification authority.

The findings were presented Dec. 30 at the 35th Chaos Communications Conference in Berlin. If successfully executed, the attack would allow a hacker to impersonate any Web site on the Internet, leaving users open to phishing and other attacks. The good news is that the researchers have no shortage of advice on how the Internet community can deal with the problem.

First and foremost, they recommended CAs abandon their use of MD5. Many CAs have actually already done this, using standards such as SHA-1 instead. Still, the researchers found six CAs still using MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter, RSA Data Security, Thawte and Verisign.co.jp.

In response, VeriSign has now said it has removed the MD5 hash algorithm from the RapidSSL certifications it issues, which now all have SHA-1. In addition, the company also said it has ensured that no SSL (Secure Sockets Layer) certificate it sells under any brand is vulnerable to the attack laid out by the researchers. There are still some specific, non-RapidSSL certificates the company is still issuing on MD5. Those certificates are not vulnerable to this attack, and by the end of January they'll be off MD5 also, VeriSign said.








 
 
>>> More IT Security & Network Security News & Reviews Articles          >>> More By Brian Prince
 


FEATURED SPONSOR VIDEOS

Benefits of Workload Optimization

What Smart Companies MUST Learn from Gaming

Advances in Authentication

Vertical Markets Benefit from Workload Optimization

View More Videos

Brought to you by
Advertisement

FEATURED SPONSOR MESSAGE

Microsoft Sponsored Resource Center

Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

Watch the video >>

Brought to you by

Suggested Related Content:

Articles Labs/How-To Multimedia


Advertisement
Contact Us | About | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Networking
Network Security
Infrastructure Security
How To: Data
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows 7
Managed Print Services
Computer Reviews
Microsoft Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Apps & Development:
Application Development
Enterprise Apps
Search Engines
Database Software
Web 2.0
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Videos
Magazine Subscriptions
Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Web Buyers Guide
Developer Websites:
DevSource C# and .Net
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Windows Migration
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
ZDE Cluster 3
 
Close this advertisement