Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    Rogue Digital Certificates Require CAs, Browser Vendors Work to Tighten Internet Security

    Written by

    Brian Prince
    Published December 30, 2008
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      When news hit that a team of security researchers and cryptographers had discovered a way to create a rogue certificate authority, the oft-repeated rule of Internet security-“Trust no one”-took on new significance.

      However, before panic strikes, the researchers pointed out there are a number of measures that can be taken by browser vendors and CAs (certificate authorities) to address the situation.

      At the center of the problem is what is called an MD5 collision, a well-known vulnerability within the MD5 cryptographic hash function that makes it possible to construct different messages with the same MD5 hash. In this case, the researchers have found a way to use the situation to forge digital certificates. Armed with a cluster of more than 200 commercially available game consoles and an advanced implementation of the collision construction, the team of researchers was able to essentially create a rogue certification authority.

      The findings were presented Dec. 30 at the 35th Chaos Communications Conference in Berlin. If successfully executed, the attack would allow a hacker to impersonate any Web site on the Internet, leaving users open to phishing and other attacks. The good news is that the researchers have no shortage of advice on how the Internet community can deal with the problem.

      First and foremost, they recommended CAs abandon their use of MD5. Many CAs have actually already done this, using standards such as SHA-1 instead. Still, the researchers found six CAs still using MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter, RSA Data Security, Thawte and Verisign.co.jp.

      In response, VeriSign has now said it has removed the MD5 hash algorithm from the RapidSSL certifications it issues, which now all have SHA-1. In addition, the company also said it has ensured that no SSL (Secure Sockets Layer) certificate it sells under any brand is vulnerable to the attack laid out by the researchers. There are still some specific, non-RapidSSL certificates the company is still issuing on MD5. Those certificates are not vulnerable to this attack, and by the end of January they’ll be off MD5 also, VeriSign said.

      What to Do About the Attack

      “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard,” Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, said in a statement. Lenstra was one of the researchers involved in the project.

      To prevent chosen prefix attacks, the group recommends that CAs add more randomness to certificate fields, preferably as close to the start of the certificate as possible. The team also suggests that certification authorities monitor the flow of Certificate Signing Requests they receive for abnormal behavior, such as multiple requests by the same user in quick succession.

      As for browser vendors, they can implement pop-up warnings to users when the browser comes across an MD5-based certificate. It is also possible to block MD5-based certificates, and for the vendors to implement path length checking.

      “The major browsers and Internet players, such as Mozilla and Microsoft, have been contacted to inform them of our discovery, and some have already taken action to better protect their users,” Lenstra added.

      Scott Crawford, an analyst with Enterprise Management Associates, noted that the researchers were also able to predict some of the values found in a legitimate certificate-such as the serial number-and could leverage them.

      “Thus it’s not only reliance on a hashing algorithm with known issues, it’s also the overall processes of certificate issuance which merit examination as well,” Crawford said. “As attackers continue to proliferate and their numbers grow at alarming rates, those who place a high degree of reliance on critically sensitive PKI [public-key infrastructure] and cryptography will need to take a fresh look at just how well they are prepared to deal with today’s threats.”

      Though cyber-crooks would have to go through a significant amount of trouble to launch this attack, its existence illustrates that consumers cannot universally rely on certificates to guarantee they are on a legitimate Web site, opined Avivah Litan, an analyst with Gartner.

      “In the end, it just points out that Internet infrastructure is full of security weaknesses, and fraud must be tackled using a layered approach, including stronger security for PCs, more robust Internet infrastructure-including stronger certificates, signed e-mail, secure gateways, etc.-stronger user authentication … and proactively taking down criminal operations,” Litan said.

      Editor’s Note: This article was updated to add a response from VeriSign.

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×