Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCC Create a Rogue CA Certificate

Posted by CmdrTaco on from the they-even-faked-this-dept dept.

t3rmin4t0r writes "Just when you were breathing easy about Kaminsky, DNS and the word hijacking, by repeating the word SSL in your head, the hackers at CCC were busy at work making a hash of SSL certificate security. Here's the scoop on how they set up their own rogue CA, by (from what I can figure) reversing the hash and engineering a collision up in MD5 space. Until now, MD5 collisions have been ignored because nobody would put in that much effort to create a useful dummy file, but a CA certificate for phishing seems juicy enough to be fodder for the botnets now."

11 of 300 comments (clear)

  1. Why trust the PKI? by characterZer0 · · Score: 5, Interesting

    Why does your bank not give you a compact disc with their public key on it when you sign up for an account?

    --
    Go green: turn off your refrigerator.
    1. Re:Why trust the PKI? by Nursie · · Score: 2, Interesting

      Sounds like a great plan to me. Plus have a "Use only my bank's CA" mode built into your browser so you know damn well it's them and nobody else.

    2. Re:Why trust the PKI? by Mister+Whirly · · Score: 2, Interesting

      All one would have to do after a user's login credentials have been obtained is to get thier phone number, pick up the phone, call them, and say
      "This is Mr. Soandso from &BANK NAME&. We have had a recent error in the code cards and would like to verify that you have one of the ones that is not a problem. Could you read line &LINE NUMBER& to me so I can check to see if you have a valid code list?"

      Sure it is a little extra effort, but not so much that nobody would attempt it.

      --
      "But this one goes to 11!"
  2. Still using MD5 for this ? by Yvanhoe · · Score: 3, Interesting

    These certificates are at the basis of truth on secure websites. MD5 has been known to have vulnerabilities for a loooong time (2004 according to the link article). Why do not banking services keep up to date with the state of the art crypto ?

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  3. its only the CA's that use MD5 so the question is. by johnjones · · Score: 2, Interesting

    some CA's use MD5 the question really should be which ones

    they point to a rather doomsday scenario of having a problem with all SSL Certificate Authorities

    this is not the case

    only the ones that use MD5

    so the question really is what is the list of SSL Certificate Authorities that do this ?

    regards

    John Jones

    http://www.johnjones.me.uk

  4. Re:No weakness by plover · · Score: 2, Interesting

    Brute force? Not according to TFA:

    In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of our sophisticated and highly optimized method for computing MD5 collisions.

    It says they compute collisions, which is indeed a weakness in MD5. Even if they use brute force, the fact that it's forceable is still a weakness.

    Now, MD5 still probably makes for a pretty good checksum for utilities like Tripwire and such, but for security it's broken, broken, broken.

    --
    John
  5. Re:Alright this Internet is ruined by plover · · Score: 3, Interesting

    I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?

    --
    John
  6. Reality check for Mozilla by Burz · · Score: 4, Interesting

    First, this issue is about banks (for instance) verifying themselves to the client, not the other way around, so not sure how OTPs and such figure into this.

    Overall, between the drama over one of Comodo's trustee CAs handing out certs without verification (for mozilla.com no less) and this MD5 attack, there is a lesson on this for Mozilla:

    Trusted CAs aren't the epitome of web safety. In fact, they are LESS safe than one of those "Invalid" (to use Mozilla's ill-chosen words) self-signed certificates under some circumstances.

    I put the ranking of https safety as follows:

    1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

    Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

    2. Any self-generated cert (even self-signed) verified by SHA1 fingerprint "out of bank" (e.g. letter or phone call or even email) then imported into the browser. Unfortunately the easiest method to initiate this procedure (visit the site, verify then click on a button to import) is now somewhat broken in Firefox and will quite inappropriately undermine the user's confidence in what is otherwise a very secure cert.

    3. Relying on the browser-trusted CAs. Unfortunately there now many of them which are obscure even in the tech community, and some are sloppy and incompetent.

  7. Maybe a Firefox config setting by McNihil · · Score: 2, Interesting

    Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

  8. collision attacks are easy to identify by conspirator57 · · Score: 5, Interesting

    note that the collision attack requires a bit of junk in the cert to make the hash be the same as for the original... this means the junk will not look like the rest of the cert. the rest of the cert is formatted and the collision noise will look mostly random. a simple test for unexpected randomness in the cert data (including Netscape comments) would reveal this sort of mischief. it just takes a bit of code on the browser to look for it. shouldn't even degrade browsing performance too much.

    --
    "If still these truths be held to be
    Self evident."
    -Edna St. Vincent Millay
  9. Mod parent up by Anonymous Coward · · Score: 1, Interesting

    Constraining the content allowed in certificate files should improve the robustness of certificate files.

    This approach is notable in that it requires updating SSL implementations to be more stringent -- but it generally shouldn't require changes in the x509 data. Some considerations:

    • New certificates can be backward compatible with unpatched SSL implementations.
    • Most old certificates can be forward compatible with patched SSL implementations. The problem cases will come from esoteric "Extensions".
    • Unpatched SSL implementations remain vulnerable.
    • A huge range of SSL implementations can be patched by vendors' automatic update mechanisms.
    • Each vendor can set its own timeline for deploying a patch.
    • This type of patch would not be peculiar to MD5 -- it should mitigate the damage caused by weaknesses in current and future hash algorithms.

    IANAPC,BIRACBBS!