SSL Crack Shows You Must Advance Your Security
The successful creation of a rogue certificate authority by security researchers using a colliding certificates attack demonstrates that if you're not moving forward with your security-related standards then you're moving backward. Everything gets cracked over time, so you have to keep improving your defenses.It's just one embarrassment after another for the digital certificate business lately. First, lax procedures at a Comodo affiliate resulted in the sale of a "mozilla.com" certificate to someone unaffiliated with that group. Now a more serious technical problem has developed with the way some certificates are generated, but the real problem is still human. It was announced at the Chaos Computer Congress in Berlin held Dec. 27 to 30: A practical collision attack on MD5 hashes, called a colliding certificates attack, allowed a group of brilliant attackers to create a signing certificate for a legitimate certificate authority. Click here for the paper they wrote on their research.
Popular Web browsers and many other applications are distributed with the root certificates of trusted certificate authorities so that the browsers can verify that Web site certificates they encounter were, in fact, issued by one of the trusted authorities. By creating their rogue certificate, the researchers were able to create certificates that would be verified by Web browsers as having been issued by the legitimate certificate authority, which, in this case, was RapidSSL, a low-cost CA owned by VeriSign. The researchers revealed enough of their research to make the problem clear and to demonstrate that they did what they claimed to do, but not enough, for now, to allow others to replicate the work quickly.