Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security

An international team of security researchers uncovers a way to forge digital certificates, potentially allowing hackers to launch virtually undetectable phishing attacks. The research underscores why certificate authorities and browser vendors must keep up with the latest anti-malware measures.

When news hit that a team of security researchers and cryptographers had discovered a way to create a rogue certificate authority, the oft-repeated rule of Internet security-"Trust no one"-took on new significance.

However, before panic strikes, the researchers pointed out there are a number of measures that can be taken by browser vendors and CAs (certificate authorities) to address the situation.

At the center of the problem is what is called an MD5 collision, a well-known vulnerability within the MD5 cryptographic hash function that makes it possible to construct different messages with the same MD5 hash. In this case, the researchers have found a way to use the situation to forge digital certificates. Armed with a cluster of more than 200 commercially available game consoles and an advanced implementation of the collision construction, the team of researchers was able to essentially create a rogue certification authority.

The findings were presented Dec. 30 at the 35th Chaos Communications Conference in Berlin. If successfully executed, the attack would allow a hacker to impersonate any Web site on the Internet, leaving users open to phishing and other attacks. The good news is that the researchers have no shortage of advice on how the Internet community can deal with the problem.

First and foremost, they recommended CAs abandon their use of MD5. Many CAs have actually already done this, using standards such as SHA-1 instead. Still, the researchers found six CAs still using MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter, RSA Data Security, Thawte and

In response, VeriSign has now said it has removed the MD5 hash algorithm from the RapidSSL certifications it issues, which now all have SHA-1. In addition, the company also said it has ensured that no SSL (Secure Sockets Layer) certificate it sells under any brand is vulnerable to the attack laid out by the researchers. There are still some specific, non-RapidSSL certificates the company is still issuing on MD5. Those certificates are not vulnerable to this attack, and by the end of January they'll be off MD5 also, VeriSign said.