Breaking News: SSL Broken?


In what probably was only a matter of time, hackers in the US and Europe have apparently found a way to hack a known weakness in the (1) MD5 algorithm (using a known (2) MD5 collision construction found a while ago) using 200 PlayStation 3 (PS3) consoles and a few hundred dollars worth of test digital certificates.

There are about six (3) certificate authorities (CAs) using the weak MD5 crypto and all six are trusted root authorities in most of the world’s common web browsers (Internet Explorer, Firefox etc).  (4) Read this article for more information.

This revelation opens the door for potential phishing attacks where the URI used could conceivably mimic the certificate of a real trusted web site (e.g. a bank’s secure web site).  From the article (4):

“Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK ” when the user clicks on security related menu items, buttons or links.”

“For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.“

Thankfully (at least) there is potential for any certificate authorities (CA) using MD-5 to instead implement the stronger (5) SHA-2 encryption or the anticipated SHA-3 standard (coming soon).

[ (1) http://en.wikipedia.org/wiki/MD5 ]
[ (2) http://www.cryptography.com/cnews/hash.html ]
[ (3) http://en.wikipedia.org/wiki/Certificate_authority ]
[ (4) http://blogs.zdnet.com/security/?p=2339 ]
[ (5) http://en.wikipedia.org/wiki/SHA-2 ]


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 18 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>