Rogue SSL certificate exploit puts VeriSign on the spot

Wishes "white hat" researchers had notified VeriSign before public demo.

Following the success of researchers last week in creating a false SSL certificate based on VeriSign's RapidSSL brand, the company is scrambling to explain how it happened, how it's preventing it from reoccurring, and whether its other SSL certificate-generation services are at risk.

SSL certificates are supposed to be unique identifiers for Web sites and other purposes, but on Dec. 30, an international team of researchers demonstrated at the Berlin Chaos Communication Congress event how they could exploit a weakness in the MD5 hash algorithm in VeriSign's automated RapidSSL certificate-issuance service to gain possession of what they call a "rogue Certificate Authority certificate."

"This certificate allows us to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol," stated the researchers in their paper discussing the attack methodology. (Researchers who conducted this work include Alexander Sotirov, Marc Stevens, Jacob Applebaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger.)

A hash is a mathematical construct used in software to create a unique digital "fingerprint," but experts have speculated about potential weaknesses in the MD5 hash algorithm for more than four years. The international team at the Berlin event proved that with enough computing firepower they could create a certificate that could fool any Web browser into trusting what would be a rogue Web site, if the fake certificate were used.

"As a proof of concept, we executed a practical attack scenario and successfully created a rogue Certification Authority certificate trusted by all consumer Web browsers," the researchers state in their paper. The group emphasized: "Don't use the MD5 algorithm." They also pointed out that they see the potential for a mass denial-of-service attack on the Web based on the kind of exploit they demonstrated.

Four hours after the researchers' proof-of-concept demonstration, VeriSign switched out MD5 for SHA-1 for use in its RapidSSL certificate service, says Tim Callan, vice president of product marketing.

SHA-1 is another hash algorithm and a U.S. government standard, but it too is expected to be replaced with something stronger over the next five years under the hash competition process that the National Institute of Standards and Technology is overseeing.

Callan expressed some frustration that the researchers hadn't contacted VeriSign prior to their demonstration of RapidSSL's vulnerability.

"VeriSign feels this kind of 'white hat' research is important, but we encourage them to share their findings with us," he says. Despite some talk that VeriSign might consider taking legal action against such research, Callan emphasizes, "We wouldn't use legal response to prevent disclosure."

RapidSSL is one of several VeriSign certificate-generation services. "We're not revealing how many seats are out there, but RapidSSL, which we acquired from GeoTrust in 2006, has as its target customer the very small business."

However, VeriSign does use MD5 in some of its other certificate-issuance services, Callan says, without going into great detail. Phase-out of MD5 has been underway at VeriSign and was originally scheduled to be completed this January. VeriSign is now accelerating that migration to SHA-1. In Japan, for example, VeriSign has an SSL service intended for use with mobile phones and MD5 was just switched out.

Callan argues, however, that MD5 "is not a failed algorithm. It's just an algorithm less defensible that others such as SHA-1."

He claims the attack carried out against RapidSSL by the researchers at the Berlin conference was extremely complex. "They had to string very clever attacks together to break MD5," he says.

Microsoft, which also issued an acknowledgement of the researchers' demonstrated attack against MD5, suggested it wasn't something that poses a major threat or that that should raise alarm.

However, some experts in cryptography say it's difficult to defend any use of MD5 at this point.

"We're recommending to people that they get rid of it," says Paul Kocher, president and chief scientist of Cryptography Research, who helped author the SSL 3.0 standard. The researchers' MD5 exploit demonstrated "you can have multiple messages that give the same MD5 output. With the 16-byte hash results, it should be impossible to give the same result."

The challenge in completely getting rid of MD5 is "that it's in an awful lot of programs for MD5 checksum," Kocher says. "It's hard to get rid of it. Applications have existing databases of MD5 values, such as for applications considered valid."

But these are all solvable challenges, he adds, noting he viewed it as "incompetent" for anyone to keep using a broken encryption algorithm.

Join the PC World newsletter!

Error: Please check your email address.

Tags RapidSSLVeriSign

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?