When user visits a secure website encrypted with SSL (Secure Sockets Layer, now known as Transport Layer Security (TLS)) HTTPS protocol, such as e-Commerce and Internet Banking sites, most people will feel that the site is more trustworthy, reliable and unlikely to be a malicious or phishing web pages. However, the security associated with SSL may be things of a past as a team of researchers in California, Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands reveal a serious security flaw in the SSL protocol, and presented it during the 25th Chaos Communication Congress (25C3) in Berlin.
The vulnerability exploits a bug in the MD5 cryptographic hashing algorithm used to create some of the digital certificates published by certification authority (CA). The crack works because hashes are used to create a digital “fingerprint” that is supposed to uniquely identify a document and can easily be calculated to verify that the document hasn’t been modified in transit. But the flaw in the MD5 algorithm makes it possible to create two different documents that have the same numerical hash value. Thus, someone can create a rough digital certificate for a phishing site that has the same fingerprint as the certificate for a genuine Web site, effectively allow web sites to prove that they’re what they claim to be, although in reality they’re not.
With about 200 PlayStation 3 (PS3) farm (its Cell processor is popular with code breakers because it is good at performing cryptographic functions), the researchers manage to create a rogue certificate authority (CA) which is an exact replicate clone of the genuine one, and used it to issue valid SSL certificates for any site they wanted. Even with the illegal spoof digitally signed cert, end user (nor their browser) would know that their HTTPS:// connection is being compromised if attacked.
So far, the researchers have managed to hack VeriSign’s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet. Other CA sites that use MD5 to generate the digital certificates include VeriSign’s Japanese, TC TrustCenter AG, EMC RSA unit and Thawte.
You can view the rough cloned CA signed certificate at https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/
However, the weakness and vulnerability is not expected to pose significant risk, as cryptographic background to the attack is not published, and the attack is not repeatable without this information. Besides, and most importantly, most of the certificate authority vendors that issue digital certificates have been using the more secure SHA-1 algorithm.
Read the detailed information about the exploit on paper titled “MD5 considered harmful today – Creating a rogue CA certificate”.
Share This Post
- Able2Extract Professional 11 Review – A Powerful PDF Tool
- How to Install Windows 10 & Windows 8.1 with Local Account (Bypass Microsoft Account Sign In)
- How to Upgrade CentOS/Red Hat/Fedora Linux Kernel (cPanel WHM)
- How to Install Popcorn Time Movies & TV Shows Streaming App on iOS (iPhone & iPad) With No Jailbreak
- Stream & Watch Free Torrent Movies & TV Series on iOS with Movie Box (No Jailbreak)
- Windows 10 20H1 Insider Preview Build 18898 Released to the Fast Ring with Task Manager Improvements
- Dashlane Premium Free 1-Year Access With No Cost
- Media Creation Tool for Windows 10 Build 18362 (19H1)
- Windows 10 Insider Preview Build 18885 (20H1) Released to Windows Insiders in Fast Ring – Here What’s New, Fixes, Changes, Improvements
- Google Chrome 74 Released – Here the Changes and Download Links