Wednesday, 31. December 2008
PermaLink SSL Broken!
... or so begins the rather alarming headline over at ZDNet - SSL broken! Hackers create rogue CA certificate using MD5 collisions

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

Is SSL really broken?

No but another algorithm has been compromised - this time MD5.

The periodic breaking of encryption algorithms is an inevitable consequence of Moore's Law. All that is needed is sufficient compute power and you can break any encryption algorithm. In this case it took 200 clustered games consoles (don't let the word games fool you - these are powerful machines). However, today's supercomputer is tomorrow's low end laptop, so MD5 can safely be written off as of now.

The more worrying factor here is that most browsers including Firefox and IE can be fooled by a rogue CA certificate created using this technique, so there's a potential * window of opportunity for the bad guys to profit from this until browsers are all modified.

* Potential because the exploit is safely in the hands of the good guys - for now.

Category: T'Internet
Technorati:

Comments :

1. Richard Schwartz01/01/2009 02:54:35
Homepage: http://www.poweroftheschwartz.com


Actually, MD5 has been known to be broken for years, and it isn't just good guys who have known this. What's new here is that a practical attack on MD5-signed SSL certificates has been demonstrated by good guys. We don't know whether bad guys have already figured out an attack yet, though I would tend to doubt it.

What I'm unclear about right now is whether it is possible to use an MD5-signed certificate to spoof the identity of a site even if the real certificate is SHA1-signed. That would make it far more of a problem.

In any case, I think the browser patch will have to disable trust of all MD5-signed certs, so if you've got an MD5-signed server cert it's time to get a new SHA1-signed one.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2009
2009
2009
2009
2009
Full Archive
Links
Chris' Posterous
CircleID
Anti-Spam Tools
Misc Links
Land banking information
LDV Blog
Landscape Gardener in Birmingham
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments

Visitor Locations
Locations of visitors to this page
Hosted by


logicspot.com