how-to block ads
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
1 edit |  SSL security flaw with MD5 certificates announces today
»news.cnet.com/8301-1009_3-101296···1_3-0-20
A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers plans to announce Tuesday.
They plan to demonstrate how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.
Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://".
The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.
"The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)
Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement." --
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? | |
|  | | | | | Kiwi
Premium
join:2003-05-26
USA
·Comcast
 ·Aristotle Internet
| Re: SSL security flaw with MD5 certificates announces today That's a pretty good explanation for those wishing to learn a thing or two and in spite of the MD5 from hell scare going on; anybody with an interest can easily tell this is getting blown into a mountain. MD5 and hash checks have been around for years and so have the holes, nothing new here.
First line of defence is not an MD5 correlation, particularly in the business world; it's just another layer. | |
| | 
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Researchers devise undetectable phishing attack
Researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet
* By Robert McMillan, IDG News Service
December 30, 2008
With the help of about 200 Sony Playstations, an international team of security researchers have devised a way to undermine the algorithms used to protect secure Web sites and launch a nearly undetectable phishing attack.
To do this, they've exploited a bug in the digital certificates used by Web sites to prove that they are who they claim to be. By taking advantage of known flaws in the MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet.
Hashes are used to create a "fingerprint" for a document, a number that is supposed to uniquely identify a given document and is easily calculated to verify that the document has not been modified in transit. The MD5 hashing algorithm, however, is flawed, making it possible to create two different documents that have the same hash value. This is how someone could create a certificate for a phishing site having the same fingerprint as the certificate for the genuine site.
Using their farm of Playstation 3 machines, the researchers built a "rogue certificate authority" that could then issue bogus certificates that would be trusted by virtually any browser. The Playstation's Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.
They plan to present their findings at the Chaos Communication Congress hacker conference, held in Berlin Tuesday, in a talk that has already been the subject of some speculation in the Internet security community.
The research work was done by an international team that included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.
Although the researchers believe that a real-world attack using their techniques is unlikely, they say that their work shows that the MD5 hashing algorithm should no longer be used by the certificate authority companies that issue digital certificates. "It's a wake up call for anyone still using MD5," said David Molnar a Berkeley graduate student who worked on the project.
In addition to Rapidssl.com, TC TrustCenter AG, RSA Data Security, Thawte and Verisign.co.jp all use MD5 to generate their certificates, the researchers say.
Launching an attack is hard, because the bad guys must first trick a victim into visiting the malicious Web site that hosts the fake digital certificate. This could be done, however, by using what's called a man-in-the-middle attack. Last August, security researcher Dan Kaminsky showed how a major flaw in the Internet's Domain Name System could be used to launch man-in-the-middle attacks. With this latest research, it's now become easier to launch this type of attack against Web sites are secured using SSL (Secure Sockets Layer) encryption, which relies on trustworthy digital certificates.
"You can use kaminsky's DNS bug, combined with this to get virtually undetectable phishing," Molnar said.
Make Your Enterprise More Effective - read this white paper.
"This isn't a pie-in-the-sky talk about what may happen or what someone might be able to do, this is a demonstration of what they actually did with the results to prove it," wrote HD Moore, director of security research at BreakingPoint Systems, in a blog posting on the talk.
Cryptographers have been gradually chipping away at the security of MD5 since 2004, when a team lead by Shandong University's Wang Xiaoyun demonstrated flaws in the algorithm.
Given the state of research into MD5, certificate authorities should have upgraded to more secure algorithms such as SHA-1 (Secure Hash Algorithm-1) "years ago," said Bruce Schneier, a noted cryptography expert and the chief security technology officer with BT.
RapidSSL.com will stop issuing MD5 certificates by the end of January and is looking at how to encourage its customers to move to new digital certificates after that, said Tim Callan, vice president of product marketing with Verisign.
But first, the company wants to get a good look at this latest research. Molnar and his team had communicated their findings to Verisign indirectly, via Microsoft, but they have not spoken directly with Verisign, out of fear that the company might take legal action to quash their talk. In the past, companies have sometimes obtained court orders to prevent researchers from talking at hacking conferences.
Are you ready for event-driven business? - watch this webcast.
Callan said that he wished that Verisign had been given more information. "I can't express how disappointed I am that bloggers and journalists are being briefed on this but we're not, considering that we're the people who have to actually respond."
While Schneier said he was impressed by the math behind this latest research, he said that there are already far more important security problems on the Internet -- weaknesses that expose large databases of sensitive information, for example.
"It doesn't matter if you get a fake MD5 certificate, because you never check your certs anyway," he said. "There are dozens of ways to fake that and this is yet another."
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
»fraudwatchers.org/forums/
| |
| | | 
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Another opportunity for Cain & Abel and Rock Phish Although the researchers believe that a real-world attack using their techniques is unlikely, ...
Launching an attack is hard, because the bad guys must first trick a victim into visiting the malicious Web site that hosts the fake digital certificate. This could be done, however, by using what's called a man-in-the-middle attack.
...
"You can use kaminsky's DNS bug, combined with this to get virtually undetectable phishing," Molnar said.
...
I'd also guess that it's very feasible for a miscreant to enter a wireless hotspot with a laptop and use ARP cache poisoning to redirect and serve other users hacked certificates to fake sites created with Rock Phish kits. Before, with Cain & Abel, the cert would have been flagged as "unknown issuer". Now, a perfectly legit looking cert can be handed to the client system.
This certificate vulnerability will also present opportunities for folks setting up rogue hotspots.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis | |
| amungus
Premium
join:2004-11-26
America
clubs:
| When looking at the details for "Certificate Signature Algorithm" for gmail, I see:
"PKCS #1 SHA-1 With RSA Encryption"
The "general" tab simply shows both SHA-1 and MD5 fingerprints.
Does this mean that it's still vulnerable, even if both hashes are present? Does that not matter since MD5 is there at all???
If these are still vulnerable, what a headache it will be to update all kinds of certificates. | |
| |
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
2 edits | Re: SSL security flaw with MD5 certificates announces today said by amungus  :When looking at the details for "Certificate Signature Algorithm" for gmail, I see: "PKCS #1 SHA-1 With RSA Encryption" The "general" tab simply shows both SHA-1 and MD5 fingerprints.
Does this mean that it's still vulnerable, even if both hashes are present? Does that not matter since MD5 is there at all??? If these are still vulnerable, what a headache it will be to update all kinds of certificates. According to the news item MD5 & SHA1 have the same vulnerability exposure.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? | |
| | | 
Sir Meowmix III
| Re: SSL security flaw with MD5 certificates announces today said by TKJunkMail :According to the news item MD5 & SHA1 have the same vulnerability exposure. I do not see this to be the case in my reading. I show that only those signed with MD5 are vulnerable, not those with SHA-1. Even Microsoft seems to indicate this as well, although they're certainly not authoritative source in security.
quote:
Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm.
| |
| | | | amungus
Premium
join:2004-11-26
America
clubs:
| Re: SSL security flaw with MD5 certificates announces today That's how I read it too... which is why I still think the question has some merit.
Barring SHA-1 only hashes, what's the story if you see both??? Is it still (more) secure when both are present, or is it completely irrelevant if one is breakable?
As for the browser idea... that's not a bad thought, but I don't think it'd work as smoothly - it's also incumbent on the user to patch their browser. Would be a more "certain" solution if the server certs themselves were guaranteed to be not using MD5.
Once that's done, the browser wouldn't care. There simply wouldn't be any MD5 hash present to begin with, which would then eliminate the chance of having an insecure hash being present... | |
| | 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| The "general" tab simply shows both SHA-1 and MD5 fingerprints.
Does this mean that it's still vulnerable, even if both hashes are present? Does that not matter since MD5 is there at all??? One should distinguish between the fingerprint and the hash used in the signature. Only one hash is used in the digital signature. Any hash of choice could later be used as a fingerprint.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | amungus
Premium
join:2004-11-26
America
clubs:
| Re: SSL security flaw with MD5 certificates announces today Thanks for the clarification on that 
In short, TK's screenshot is what I was originally looking at - hence confusion...
Here's a screenshot of what the quotes I referenced are talking about - how to see what algorithm is being used on the signature. | |
| | 
geekamongus
Real Slump Quality
Premium,MVM
join:2004-07-27
Asheville, NC | Wouldn't the blocking of certs using MD5 at the browser level be a helpful stopgap until this thing gets resolved at the root level?
--
o o | |
| doppler
join:2003-03-31
Blue Point, NY | A picture and links found on:
»hackaday.com/
More of the hardware, that did the deed. There maybe a
surprise to some folks, how it was done. | |
| amungus
Premium
join:2004-11-26
America
clubs:
| Very interesting. Thank you doppler for the link.
Some selected quotes from: »www.win.tue.nl/hashclash/rogue-ca/ - a link from the article found at doppler's link above 
"Even if SHA-1 would have lived up to its design objectives, its output length of 160 is too small to justify its prolonged use for more than the short term. NIST recognized this at an early stage, and came in 2001 with the new SHA-2 family of hash functions. So far these have withstood all cryptanalysis. Nevertheless NIST saw the need for mobilizing the cryptographic community to get a deeper understanding of hash function design and to come up with better hash functions for the next 10 years. Therefore it has started an open competition for selecting the successor of SHA-2, dubbed for the moment SHA-3. The winner of this competition is expected to be selected by 2012, and will most probably become the de facto hashing standard for the next decade."
---
"Any website, whether it is secure (i.e. uses SSL) or not, whether it has an MD5-based, SHA-1-based, SHA-256-based, or any other type of certificate, irrespective of which Certification Authority issued the certificate, can be impersonated, in particular not only genuine websites that have an MD5-based certificate are vulnerable."
---
"The used hash function is visible in the "Signature algorithm" field, see the picture to the right, where "md5RSA" means that MD5 was used for signing the certificate. When all certificates in the chain up to the root CA certificate use other hash functions than MD5 such as SHA-1, our attack has not been used.
When MD5 has been used, fraud may be detected by inspection of the certificate at bit level."
---
"Browser and Operating System vendors such as Microsoft (vendor of Windows and Internet Explorer) and Mozilla (vendor of Firefox) can implement pop-up warnings to the users when an MD5-based certificate is encountered. Blocking MD5-based certificates is also possible, but rather drastic. Browser vendors can implement path length checking. Furthermore, it is the browser vendors who determine which Certification Authorities are present in the trust lists inside the browsers or operating systems. This puts them in a good position to put pressure on the Certification Authorities to adopt proper procedures and use strong cryptographic primitives. We have contacted the mentioned browser vendors so that they are aware of the problem.
Website owners can check whether their Certification Authority has proper procedures, notably does not use unacceptable hash functions such as MD5. Website owners can ask their CAs to switch to more secure hash functions such as SHA-2." The second bolded part means to me that it's still "safer" to have SHA-1 than purely MD5 hashes...
Gmail, as mentioned by TK, is actually using "PKCS #1 SHA-1 With RSA Encryption" - as are many other sites I've checked...
Looks like their work was also rather involved. Spent some money on certs, lots of trial and error, very tricky timings for some parts, and, well, 200 PS3 systems clustered together 
Scammers won't likely invest that much time/money/pure geek brainpower into this just yet. Then again, you never know. | |
| mysec
Premium
join:2005-11-29
| Some other quotes from »www.win.tue.nl/hashclash/rogue-ca/
description of how our attack scenario may be used to impersonate an existing website.
When a user wants to visit the secure website, the web browser will look on the Internet for the genuine web server. There exist "redirection attacks", by which the communication from the browser can be redirected to the rogue website.
It seems to me that this attack scenario is no different than any other pharming exploit. So, how do you protect against pharming?
Would disabling "redirection" in the browser work in this case? You should get the 302 error:
______________________________________________
Also, if your https addresses are stored in a custom address group in your firewall,
a redirection will trigger an alert:
______________________________________________
Any other preventative measures?
----
rich | |
| |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Re: SSL security flaw with MD5 certificates announces today Would disabling "redirection" in the browser work in this case? No, that wouldn't help at all, and might cause other problems.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | mysec
Premium
join:2005-11-29
| Re: SSL security flaw with MD5 certificates announces today Can you explain?
A friend always disables redirection when going to her financial sites. She's never mentioned encountering any problems.
I've not done it except in the screenshot I showed when testing the old sloantreefarm Google redirect exploit.
----
rich | |
| | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: SSL security flaw with MD5 certificates announces today The type of redirection that is a concern is the one done by DNS that the browser does not even know about.
If you go to the bank site, and there is a browser redirection, that is specified by the bank site. You really do want to follow that redirect.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | | | mysec
Premium
join:2005-11-29
| Re: SSL security flaw with MD5 certificates announces today Thanks for the explanation.
The Google redirect exploit appended the fake URL into the browser, so DNS did not come into play.
Any other preventative measures that will keep a user from being redirected to a fake site?
----
rich | |
| | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: SSL security flaw with MD5 certificates announces today Mostly, you depend on the reliability of your DNS servers.
The certificate flaw will not be easy to exploit. I am not panicking over this one. I'm taking the advisory as mainly advice to certificate issuers to change their practices.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | | | 
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| said by nwrickert :The type of redirection that is a concern is the one done by DNS that the browser does not even know about. If you go to the bank site, and there is a browser redirection, that is specified by the bank site. You really do want to follow that redirect. Is it not true that a site can be hacked and the hackers can insert a redirect at that point rather than through DNS?
--
Courage is being scared to death but saddling up anyway.
| |
| | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: SSL security flaw with MD5 certificates announces today Is it not true that a site can be hacked and the hackers can insert a redirect at that point rather than through DNS? If they hack your bank site, all is lost anyway. Whether the hack uses a redirect or a malicious web page at the site, the risk is the same.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | | | | | | | | 
TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON
| Re: SSL security flaw with MD5 certificates announces today Either way, it's not just a matter of generating an MD5 hash that matches the SSL cert, it's about generating ANOTHER SSL cert that looks the same that would generate the same MD5 hash. While I agree that MD5 isn't exactly secure anymore the mathematical possibility of generating a valid cert that would generate the same MD5 hash is slim at best. | |
| | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: SSL security flaw with MD5 certificates announces today For hashing strings:
Given a string, find another credible string with the same MD5 hash: this is still a difficult problem.
Find two strings with the same MD5 hash. This can be done (has been done).
For certificates:
Given a certificate, find another certificate that will generate the same MD5 hash. This is still a difficult problem.
Find two certificate requests, such that the two certificates will have the same hash. This is presumably an easier problem.
It's the second of these that the exploit security flaw is about. If you can generate two certificate requests that will have the same hash, then you have the CA sign one, and copy that signature into the other.
What I don't quite understand about this, is that while signing the certificate the CA makes some editorial changes to the certificate content. These include inserting a serial number and start and expire dates. If these changes are included in what is hashed for the signature, then that would seem to disrupt the method of attack - unless the attacker can predict this data. Maybe serial and date info are not in the signature hash, but that would be a surprising weakness if true.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | | | | Graycode
join:2006-04-17
·net2phone
1 edit | Re: SSL security flaw with MD5 certificates announces today said by nwrickert :What I don't quite understand about this, is that while signing the certificate the CA makes some editorial changes to the certificate content. These include inserting a serial number and start and expire dates. If these changes are included in what is hashed for the signature, then that would seem to disrupt the method of attack - unless the attacker can predict this data. Maybe serial and date info are not in the signature hash, but that would be a surprising weakness if true. You may be exactly right about the serial. The following is by Eric Rescorla, author of recent TLS versions.
»www.educatedguesswork.org/2008/1···t_a.html
quote:
The relevance of the serialNumber is this: unlike the name and the public key, the serialNumber and validity are generated by the CA. So, you need to know in advance what they will be in order to generate the appropriate colliding "bad" certificate. The validity is typically just generated as something like a year or two from the time of issue, so it's relatively predictable. The CA has a lot of freedom in how to generate the serial number. If it's truly a sequence number, it's quite predictable. However, if it's randomly generated, then it can be made arbitrarily unpredictable, which effectively blocks this kind of collision attack. When MD5 collisions were first discovered, the two standard recommendations were (1) stop using MD5 and (2) generate random serial numbers.
...
Bottom Line
As usual, don't panic. In its current state, this is more of a demonstration of a hole than a serious hole. Countermeasures are readily available to the CAs and if the remaining CAs fix their practices fast enough, then it's unlikely that there will be any more bad certificates issued ...
| |
| | | | | | | mysec
Premium
join:2005-11-29
| "This morning's MD5 attack - resolved" »www.win.tue.nl/hashclash/rogue-ca/
Verisign, the owner of the RapidSSL brand, has immediately responded when our work became public. See the announcement "This morning's MD5 attack - resolved" by Tim Callan. Some interesting quotes from this blog: • "We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security."
• "We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009."
• "... any customer who would like to do so can replace any MD5-hashed certificate free of charge."
| |
| | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: SSL security flaw with MD5 certificates announces today That's a good reference.
When a CA is doing some investigation to approve a certificate, that will take time. As a result the validity times will be harder to predict. Apparently the demonstration used RapidShare, which generates certificates on the spot. That makes the validity more easily predictable. And presumably the serial can be predictable if done sequentially.
It seems to me that a CA could:
randomize the serial numer;
randomize the validity (adding a few random days, with random hour/minute specified) expiration time.
randomize the validity start time, by backdating the start by a random amount of time from the present.
Such steps would make it far harder to exploit this. However, moving away from MD5 is certainly advisable too.
Even with one of these certificates, you could probably only use that effectively in an MITM attack. And there are many other difficulties involved in launching an MITM attack.
My conclusion: there's no need to panick about this. It isn't practical as a general threat. It is perhaps more of a threat to specialized system known to have valuable data, and worth the expense of attempting to exploit it. But, mostly, it serves as a reminder that it is time to phase out the use of MD5.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| | | | | | |
See 6 replies to this post | |
Khaine
join:2003-03-03
Australia
| Doesn't this just prove that the centralised model of trust is deeply flawed and that end users should not trust CAs? Afterall MD5 has been considered insecure for long enough that it should not be used as a cryptographic hash, and yet some CAs are still using it. | |
| | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: SSL security flaw with MD5 certificates announces today said by NetFixer :It also shows that some browser suppliers (Mozilla) compound the confusion by showing an MD5 fingerprint for certificates that use SHA-1 With RSA Encrypt I'm not sure that shows confusion. Look at the POC.
»https://i.broke.the.internet.and.all.i.g···dom.org/
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
| | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Doesn't this just prove that the centralised model of trust is deeply flawed and that end users should not trust CAs? For sure, it provides additional evidence against the trust model used.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 | |
| Mele20
Premium
join:2001-06-05
Hilo, HI
| SSL Blacklist has been updated for Firefox 1.5 and above and now "detects and warns about certificate chains that use the MD5 algorithm for RSA signatures."
You can download the xpi file here:
»codefromthe70s.org/sslblacklist.aspx
If you have disabled UserTrust Network root certs in Fx, you will need to reenable them (for software maker identification) otherwise Fx will not install this extension. It will throw an error that says it cannot be installed because "signing could not be verified - 260".
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
| | 
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| Re: SSL security flaw with MD5 certificates announces today A couple of questions Marilyn before I install a third party extension that is not listed at the Addons Site?
1. Does this extension provide secure updates?
2. Have you looked through the code and verified the extension does only what it claims to do?
--
"The little things are infinitely the most important." | |
| SUMware
Premium
join:2002-05-21
| From Netcraft
1 January 2009 - quote:
14% of SSL Certificates signed using Vulnerable MD5 Algorithm
Netcraft's SSL Survey shows that 14% of valid third party SSL certificates have been issued using MD5 signatures — an algorithm that has recently been demonstrated to be vulnerable to attack by producing a fake certificate authority certificate signed by a widely-trusted third party certificate authority.
The researchers achieved this by producing a hash collision — they submitted valid certificate requests to a certificate authority (CA), while producing a second certificate that had the same signature but entirely different details. When the CA signed the valid certificate, the signature applied also to the invalid certificate, allowing the researchers to spoof any secure website that they liked. This attack is the first practical use against SSL of already-known attacks against the MD5 checksum algorithm.
Netcraft's December 2008 SSL Survey found 135,000 valid third party certificates using MD5 signatures on public web sites, which is around 14% of the total number of valid SSL certificates in use.The great majority consist of certificates from RapidSSL (shown as Equifax on the certiifcate). As of Netcraft's December survey, all of the 128,000 RapidSSL certificates in use on public sites were signed with MD5; there are some much smaller CAs that use MD5 still, and there are a small number of certificates from Thawte and VeriSign, although most of their certificates are signed with the more secure SHA1. Other CAs use only SHA1.
Verisign (owners of RapidSSL since 2006) have stated that they have stopped using MD5-signing for RapidSSL certificates, and will have phased out MD5-signing across all their certificate products by the end of January 2009. Other affected CAs are likely to follow suit, as SHA1 is well established and is already in use for the majority of SSL certificate signing, so it should be simple to switch to using this more secure alternative. Once it is impossible to obtain new certificates signed with MD5, this attack will be neutralised.
The attack requires a collision between newly created certificates — one valid and one fake — deliberately created by the attacker. As such, there is no particular risk to existing SSL certificates signed with MD5, and they do not need to be replaced. VeriSign are nevertheless offering free replacements for customers that want them; and it is possible that browsers will start to distinguish certificates signed with MD5 so that users can exercise caution, as CERT have issued a vulnerability note suggesting that users could check for this manually.
The researchers have noted that certificates for Extended Validation (EV) SSL websites cannot be faked in this way — because the EV standard requires SHA1 or better signatures, and indeed there are no MD5-signed EV certificates found by our survey. This shows that requiring minimum standards from the CAs can have positive effects — hopefully browser vendors will take note, and start requiring that CAs apply similar minimum standards to other certificates.
Security remains a moving target, however, as researchers have also started to find weaknesses in SHA1. Although there are no attacks as advanced as those against MD5, it is likely that SHA1 will also be increasingly threatened by collision attacks as research in this area continues. There are more secure cryptographic hashes available, however, so we can expect to see CAs start to phase in newer, stronger hashes over the next few years.
| |
| | Kiwi
Premium
join:2003-05-26
USA | Re: 14% of SSL Certificates signed using Vulnerable MD5 Algorith That still begs the my last response... | |
| | | |
|
