Kiwi
Premium
join:2003-05-26
USA | reply to SUMware
Re: 14% of SSL Certificates signed using Vulnerable MD5 Algorith
That still begs the my last response... |
|
SUMware
Premium
join:2002-05-21
| reply to TKJunkMail
14% of SSL Certificates signed using Vulnerable MD5 Algorithm
From Netcraft
1 January 2009 - quote:
14% of SSL Certificates signed using Vulnerable MD5 Algorithm
Netcraft's SSL Survey shows that 14% of valid third party SSL certificates have been issued using MD5 signatures — an algorithm that has recently been demonstrated to be vulnerable to attack by producing a fake certificate authority certificate signed by a widely-trusted third party certificate authority.
The researchers achieved this by producing a hash collision — they submitted valid certificate requests to a certificate authority (CA), while producing a second certificate that had the same signature but entirely different details. When the CA signed the valid certificate, the signature applied also to the invalid certificate, allowing the researchers to spoof any secure website that they liked. This attack is the first practical use against SSL of already-known attacks against the MD5 checksum algorithm.
Netcraft's December 2008 SSL Survey found 135,000 valid third party certificates using MD5 signatures on public web sites, which is around 14% of the total number of valid SSL certificates in use.The great majority consist of certificates from RapidSSL (shown as Equifax on the certiifcate). As of Netcraft's December survey, all of the 128,000 RapidSSL certificates in use on public sites were signed with MD5; there are some much smaller CAs that use MD5 still, and there are a small number of certificates from Thawte and VeriSign, although most of their certificates are signed with the more secure SHA1. Other CAs use only SHA1.
Verisign (owners of RapidSSL since 2006) have stated that they have stopped using MD5-signing for RapidSSL certificates, and will have phased out MD5-signing across all their certificate products by the end of January 2009. Other affected CAs are likely to follow suit, as SHA1 is well established and is already in use for the majority of SSL certificate signing, so it should be simple to switch to using this more secure alternative. Once it is impossible to obtain new certificates signed with MD5, this attack will be neutralised.
The attack requires a collision between newly created certificates — one valid and one fake — deliberately created by the attacker. As such, there is no particular risk to existing SSL certificates signed with MD5, and they do not need to be replaced. VeriSign are nevertheless offering free replacements for customers that want them; and it is possible that browsers will start to distinguish certificates signed with MD5 so that users can exercise caution, as CERT have issued a vulnerability note suggesting that users could check for this manually.
The researchers have noted that certificates for Extended Validation (EV) SSL websites cannot be faked in this way — because the EV standard requires SHA1 or better signatures, and indeed there are no MD5-signed EV certificates found by our survey. This shows that requiring minimum standards from the CAs can have positive effects — hopefully browser vendors will take note, and start requiring that CAs apply similar minimum standards to other certificates.
Security remains a moving target, however, as researchers have also started to find weaknesses in SHA1. Although there are no attacks as advanced as those against MD5, it is likely that SHA1 will also be increasingly threatened by collision attacks as research in this area continues. There are more secure cryptographic hashes available, however, so we can expect to see CAs start to phase in newer, stronger hashes over the next few years.
|
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| reply to Mele20
Re: SSL security flaw with MD5 certificates announces today
A couple of questions Marilyn before I install a third party extension that is not listed at the Addons Site?
1. Does this extension provide secure updates?
2. Have you looked through the code and verified the extension does only what it claims to do?
--
"The little things are infinitely the most important." |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to TKJunkMail
SSL Blacklist has been updated for Firefox 1.5 and above and now "detects and warns about certificate chains that use the MD5 algorithm for RSA signatures."
You can download the xpi file here:
»codefromthe70s.org/sslblacklist.aspx
If you have disabled UserTrust Network root certs in Fx, you will need to reenable them (for software maker identification) otherwise Fx will not install this extension. It will throw an error that says it cannot be installed because "signing could not be verified - 260".
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
1 edit | reply to Mele20
But if you go back one step, you will see that the phony certificate is actually MD5 with RSA Encryption. A real SHA1 with RSA Encryption certificate should reflect that at every stage.
Now I will grant that the average web user is not even going to look at the certificate, much less analyze it to that extent, but a faked MD5 certificate is not necessarily going to be undetectable by a suspicious site visitor.
Also, my original point was that just seeing an MD5 fingerprint on a Mozilla general tab does not indicate that the certificate is actually MD5 with RSA Encryption, it is just the quirky way that Mozilla based browsers display the general certificate information. The BellSouth certificate that I used for my original example is/was not an MD5 with RSA Encryption certificate, but the Mozilla certificate viewer shows an MD5 fingerprint nonetheless.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
»portscan.dcs-net.net
»nature-pics.com |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NetFixer
said by NetFixer  :It also shows that some browser suppliers (Mozilla) compound the confusion by showing an MD5 fingerprint for certificates that use SHA-1 With RSA Encrypt I'm not sure that shows confusion. Look at the POC.
»https://i.broke.the.internet.and.all.i.g···dom.org/
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Kiwi
Premium
join:2003-05-26
USA
 ·Comcast
·Aristotle Internet
| reply to TheWiseGuy
This has migrated, somewhat. Though correct in summation, this still begs the MD5 hash, as a NEW problem. Granted SHA-1 & et al to come will further endorse a cert viability; based on perhaps some mythological endeavor to secure a cert in the future. It still seems to me that a layered approach is not a singularity; based on an MD5 cert. Or am I missing something here?
Hey, I can be wrong. |
|
mysec
Premium
join:2005-11-29 | reply to TheWiseGuy
Thanks for the clarification. Now, I don't know if I will ever use the internet in a hotspot.
Certainly, not to conduct any business! |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to mysec
To hijack your connection via wireless to me implies you are not at home using a secure encryption protocol such as WPA to connect to the router but using a hotspot.
In your previous post you discussed redirection and DNS but a MITM does not involve either and IMO is the bigger risk.
At a hotspot an Evil twin would allow a MITM and the DNS addresses to the secure sites would not be changed. When using a wireless hotspot SSL would tend to be secure even against a MITM if you can trust the certificates. If certificates were/are compromised then you can not even trust connecting via SSL, from a hotspot.
Another worry not just at a hotspot is the possibility that someone "exploits the internet routing protocol" to create a MITM to some Brokerage or Banking sites.
While preventing redirection or DNS poisoning may mitigate the risk it will not at least IMO reduce the real problems.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
mysec
Premium
join:2005-11-29
2 edits | reply to TKJunkMail
OK, thanks.
EDIT: I've removed my response and examples to protect, since they referred to classic pharming and DNS poisoning, and not to MITM, as TheWiseGuy clarified.
----
rich |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
| reply to mysec
said by mysec :Two questions: 1) For those using wireless, please explain how this takes place. 2) Why use as an example, google.com, which is not https? thanks, ---- rich # 1 can be accomplished with what is known as a "Man In The Middle" attack.
»en.wikipedia.org/wiki/Man_in_the···e_attack
& specifically a wireless attack:
»en.wikipedia.org/wiki/Man_in_the···Examples
# 2 - Google does use https for their gmail product:
»https://mail.google.com/mail/#inbox
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to Khaine
Doesn't this just prove that the centralised model of trust is deeply flawed and that end users should not trust CAs? For sure, it provides additional evidence against the trust model used.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
| reply to Khaine
said by Khaine :Doesn't this just prove that the centralised model of trust is deeply flawed and that end users should not trust CAs? Afterall MD5 has been considered insecure for long enough that it should not be used as a cryptographic hash, and yet some CAs are still using it. It also shows that some browser suppliers (Mozilla) compound the confusion by showing an MD5 fingerprint for certificates that use SHA-1 With RSA Encryption.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
»portscan.dcs-net.net
»nature-pics.com |
|
mysec
Premium
join:2005-11-29
| reply to TKJunkMail
said by article :
Let’s look at an example were a rogue CA is used maliciously to generate a certificate for www.google.com . The attacker hijacks your web connection while you are using wireless and impersonates google using the malicious certificate.
To allow Perspectives to detect these attacks, you must instruct it to contact Notaries for all HTTPS sites, even if your browser considers the certificate valid.
Two questions:
1) For those using wireless, please explain how this takes place.
2) Why use as an example, google.com, which is not https?
thanks,
----
rich |
|
Khaine
join:2003-03-03
Australia
| reply to TKJunkMail
Doesn't this just prove that the centralised model of trust is deeply flawed and that end users should not trust CAs? Afterall MD5 has been considered insecure for long enough that it should not be used as a cryptographic hash, and yet some CAs are still using it. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
| reply to TKJunkMail
said by TKJunkMail :Good link. I have been using Perspectives Add-on in Firefox for a couple months now. The Perspectives team has created a web page about this exploit and how their "Perspectives" Firefox add-on can help:
»www.cs.cmu.edu/~perspectives/md5.html
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Graycode
That's a good reference.
When a CA is doing some investigation to approve a certificate, that will take time. As a result the validity times will be harder to predict. Apparently the demonstration used RapidShare, which generates certificates on the spot. That makes the validity more easily predictable. And presumably the serial can be predictable if done sequentially.
It seems to me that a CA could:
randomize the serial numer;
randomize the validity (adding a few random days, with random hour/minute specified) expiration time.
randomize the validity start time, by backdating the start by a random amount of time from the present.
Such steps would make it far harder to exploit this. However, moving away from MD5 is certainly advisable too.
Even with one of these certificates, you could probably only use that effectively in an MITM attack. And there are many other difficulties involved in launching an MITM attack.
My conclusion: there's no need to panick about this. It isn't practical as a general threat. It is perhaps more of a threat to specialized system known to have valuable data, and worth the expense of attempting to exploit it. But, mostly, it serves as a reminder that it is time to phase out the use of MD5.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
mysec
Premium
join:2005-11-29
| reply to Graycode
"This morning's MD5 attack - resolved"
»www.win.tue.nl/hashclash/rogue-ca/
Verisign, the owner of the RapidSSL brand, has immediately responded when our work became public. See the announcement "This morning's MD5 attack - resolved" by Tim Callan. Some interesting quotes from this blog: • "We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security."
• "We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009."
• "... any customer who would like to do so can replace any MD5-hashed certificate free of charge."
|
|
Graycode
join:2006-04-17
·net2phone
1 edit | reply to nwrickert
Re: SSL security flaw with MD5 certificates announces today
said by nwrickert :What I don't quite understand about this, is that while signing the certificate the CA makes some editorial changes to the certificate content. These include inserting a serial number and start and expire dates. If these changes are included in what is hashed for the signature, then that would seem to disrupt the method of attack - unless the attacker can predict this data. Maybe serial and date info are not in the signature hash, but that would be a surprising weakness if true. You may be exactly right about the serial. The following is by Eric Rescorla, author of recent TLS versions.
»www.educatedguesswork.org/2008/1···t_a.html
quote:
The relevance of the serialNumber is this: unlike the name and the public key, the serialNumber and validity are generated by the CA. So, you need to know in advance what they will be in order to generate the appropriate colliding "bad" certificate. The validity is typically just generated as something like a year or two from the time of issue, so it's relatively predictable. The CA has a lot of freedom in how to generate the serial number. If it's truly a sequence number, it's quite predictable. However, if it's randomly generated, then it can be made arbitrarily unpredictable, which effectively blocks this kind of collision attack. When MD5 collisions were first discovered, the two standard recommendations were (1) stop using MD5 and (2) generate random serial numbers.
...
Bottom Line
As usual, don't panic. In its current state, this is more of a demonstration of a hole than a serious hole. Countermeasures are readily available to the CAs and if the remaining CAs fix their practices fast enough, then it's unlikely that there will be any more bad certificates issued ...
|
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to TSI Gabe
For hashing strings:
Given a string, find another credible string with the same MD5 hash: this is still a difficult problem.
Find two strings with the same MD5 hash. This can be done (has been done).
For certificates:
Given a certificate, find another certificate that will generate the same MD5 hash. This is still a difficult problem.
Find two certificate requests, such that the two certificates will have the same hash. This is presumably an easier problem.
It's the second of these that the exploit security flaw is about. If you can generate two certificate requests that will have the same hash, then you have the CA sign one, and copy that signature into the other.
What I don't quite understand about this, is that while signing the certificate the CA makes some editorial changes to the certificate content. These include inserting a serial number and start and expire dates. If these changes are included in what is hashed for the signature, then that would seem to disrupt the method of attack - unless the attacker can predict this data. Maybe serial and date info are not in the signature hash, but that would be a surprising weakness if true.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
