What to Do About the Attack
"It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, said in a statement. Lenstra was one of the researchers involved in the project. To prevent chosen prefix attacks, the group recommends that CAs add more randomness to certificate fields, preferably as close to the start of the certificate as possible. The team also suggests that certification authorities monitor the flow of Certificate Signing Requests they receive for abnormal behavior, such as multiple requests by the same user in quick succession."The major browsers and Internet players, such as Mozilla and Microsoft, have been contacted to inform them of our discovery, and some have already taken action to better protect their users," Lenstra added. Scott Crawford, an analyst with Enterprise Management Associates, noted that the researchers were also able to predict some of the values found in a legitimate certificate-such as the serial number-and could leverage them. "Thus it's not only reliance on a hashing algorithm with known issues, it's also the overall processes of certificate issuance which merit examination as well," Crawford said. "As attackers continue to proliferate and their numbers grow at alarming rates, those who place a high degree of reliance on critically sensitive PKI [public-key infrastructure] and cryptography will need to take a fresh look at just how well they are prepared to deal with today's threats." Though cyber-crooks would have to go through a significant amount of trouble to launch this attack, its existence illustrates that consumers cannot universally rely on certificates to guarantee they are on a legitimate Web site, opined Avivah Litan, an analyst with Gartner. "In the end, it just points out that Internet infrastructure is full of security weaknesses, and fraud must be tackled using a layered approach, including stronger security for PCs, more robust Internet infrastructure-including stronger certificates, signed e-mail, secure gateways, etc.-stronger user authentication ... and proactively taking down criminal operations," Litan said. Editor's Note: This article was updated to add a response from VeriSign.
As for browser vendors, they can implement pop-up warnings to users when the browser comes across an MD5-based certificate. It is also possible to block MD5-based certificates, and for the vendors to implement path length checking.