CCC Create a Rogue CA Certificate

t3rmin4t0r writes "Just when you were breathing easy about Kaminsky, DNS and the word hijacking, by repeating the word SSL in your head, the hackers at CCC were busy at work making a hash of SSL certificate security. Here's the scoop on how they set up their own rogue CA, by (from what I can figure) reversing the hash and engineering a collision up in MD5 space. Until now, MD5 collisions have been ignored because nobody would put in that much effort to create a useful dummy file, but a CA certificate for phishing seems juicy enough to be fodder for the botnets now."

Alright this Internet is ruined

Let's go make a new one.

Re:Alright this Internet is ruined

[plover]

I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?

Re:Alright this Internet is ruined

[Alrescha]

"I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?"

I think a better idea would be to simply delete all the certificates from your box (CA certs included!). Then start marking individual web certs as trusted after you inspect them yourself.

A.

Re:Alright this Internet is ruined

[neoform]

Will there be blackjack and hookers?

Re:Alright this Internet is ruined

[MyHair]

I'm considering this myself. I'm wondering if there's a way for me to sign approved certificates or otherwise whitelist certs. Eh, it would probably be easier to mark individual web certs. From how many PCs do I need to access my important secure web sites, anyway?

Re:Alright this Internet is ruined

[cbiltcliffe]

Wouldn't the salt have to be public, in order for the legitimate CA certs to work?

Or if the salt was private, wouldn't you still be able to engineer an MD5 collision in the same way, without said salt?

And if the salt was required, wouldn't it be available in the source of any of the dozens of open source browsers out there?

And have we, yet again, proven that security by obscurity doesn't work?

Re:Alright this Internet is ruined

[vux984]

And have we, yet again, proven that security by obscurity doesn't work?

Salt really has nothing to do with security by obscurity.

Salt has everything to do with preventing dictionary attacks using precomputed hashes of a gazillion passwords.

Salt, done well, is generated randomly for each password. That way you need to attack each password in the database separately.

The problem here is that they are brute forcing collisions; and have the resources and motivation to do it.

Re:Alright this Internet is ruined

[Ed+Avis]

What about if a patched version of the crypto libraries deliberately fouled up the calculation of MD5 hashes (say, by returning random data), so you could be sure that you weren't depending on this weak algorithm?

Re:Alright this Internet is ruined

[PAjamian]

If you RTFA you'll note that there is only one known CA that is really vulnerable to this attack, RapidSSL (and also FreeSSL which is part of RapidSSL). This is due to the necessary timing of the validity period and the sequential serial numbers used by the CA.

Also of note is that it doesn't matter what encryption was used to sign the root cert, what matters is the type of encryption that the vulnerable CA uses to sign *your* cert. The CA's certificate could be signed with MD5, SHA1 or anything, really.

Re:Alright this Internet is ruined

[ka9cql]

It doesn't matter whether MD5 was used by the root certificates, or not. The issue is that the attackers injected themselves within your web browser's chain-of-trust, not that they utilized MD5 (or any other algorithm) to achieve this position. This group was able to anticipate and thereby "control" various CA-generated aspects of a digital certificate that they were eventually able to purchase. By carefully crafting a particular certificate - presumably for a domain which they have some reasonable responsibility or control - they could cause the CA to sign a new certificate with an MD5 hash that has an advantageous value. They then copied this hash value (and various other pieces of their new certificate) into a second certificate, forged to look like it's for a website that they presumably DO NOT have any responsibility or control. Because of their careful pre-planning, they were assured that the copied-over certificate's hash value would exactly match that of the certificate that they were (more or less) legitimately issued by the CA. This has the effect of fooling your browser into believing that their "bogus" certificate was, in fact, legit. The really nice twist to all this, IMHO, is that they though to make the new certificate ANOTHER, TRUSTED, CERTIFICATE AUTHORITY!! That was pure genius! Once they did that, they could then turn right around and sign as many certificates as their hearts desired, all of which would be blindly trusted by your web browser. Nice piece of work!

Re:Alright this Internet is ruined

[ka9cql]

Another point of this research was that no human being can, just by looking at a digital certificate, itself, can know whether it is a real certificate or a fake one.

In fact, the researchers did not provide a revocation-checking URL in their original certificate-signing request. This means that most tools (including your web browser) would not have a way of checking whether their bogus certificate had been revoked by the original certificate's CA, even if they ever found out that their legit certificate had been used for other purposes (based solely upon the cert's serial number).

Re:Alright this Internet is ruined

[Lord+Ender]

I think a better idea would be to simply delete all the certificates from your box (CA certs included!). Then start marking individual web certs as trusted after you inspect them yourself.

"Honey, did you order those tickets yet?"

"Hold on! I'm reading through their certificate issuer's published policy documents. I think I am going to have to audit their CA systems on-site before I can connect to this website."

Re:Alright this Internet is ruined

[Bostik]

I quote the team from memory (I just returned from CCC):

Removing or disabling all certificates where a MD5 signature was used somewhere in the chain (or was that just for those that had intermediate CA's signed with MD5? - anyhow...), would cripple approximately 30% of the entire internet.

Re:Alright this Internet is ruined

[Tumbleweed]

Let's go make a new one.

We will go with Internet Emergency Plan A: Move the Internet 10 miles down the road. Done and done!

Re:Alright this Internet is ruined

[johny42]

If you RTFA you'll also note that the only one known CA that is really vulnerable to this attack fixed it the next day.

Re:Alright this Internet is ruined

[cbiltcliffe]

But salt for a CA cert verification method would have to be the same for each cert, or public, wouldn't it?
And either way, it's useless for the way that salt is used for password hashes in /etc/shadow or the like.

I'm not much on the inner workings of PKI yet, so I'm really asking a legitimate question here.

Re:Alright this Internet is ruined

[vux984]

But salt for a CA cert verification method would have to be the same for each cert, or public, wouldn't it?

Yes.

And either way, it's useless for the way that salt is used for password hashes in /etc/shadow or the like.

More or less, yes. Its not 'useless' per se, but since they are attacking a given cert specifically anyway, salt doesn't really add anything.

The original poster who suggested salt in the first place didn't know what they were talking about.

Re:Alright this Internet is ruined

[PAjamian]

You're referring to an update of the article dated December 31st. My post above was dated December 30th and was fully correct as of the date of posting.

Rouge CA?

[realmolo]

I prefer teal CAs, myself. Or possibly burnt sienna CAs. Sometimes fuschia CAs.

It's ROGUE you dumbass.

Re:Rouge CA?

[Daimanta]

It could be a rogue communist CA. That way, they're both!

Re:Rouge CA?

[Dagvl]

Well, the rogue certificates were red in the diagrams, so using "rouge CA" in the summary has some backing :)

Re:Rouge CA?

[nsushkin]

I prefer teal CAs, myself. Or possibly burnt sienna CAs. Sometimes fuschia CAs.

It's ROGUE you dumbass.

Surely you meant FUCHSIA

Re:Rouge CA?

[supernova_hq]

I both self sign a CA and manage a .ca you insensitive clod!

from the ... dept?

[TypoNAM]

Oh noes! What department of Slashdot did this article come from? Its the end of the world as we know it! ;)

Re:from the ... dept?

[DoofusOfDeath]

Oh noes! What department of Slashdot did this article come from? ...

Hold on - I'll check the signature.

Re:from the ... dept?

[Tei]

One where you think "OH NOES"... and forgot to add a dept. :-/

Re:from the ... dept?

[TypoNAM]

I hate replying to myself, but if anybody hasn't noticed that CmdrTaco has been trying to tell us something and by this article he has apparently given up:

Alan Cox Leaves Red Hat
Posted by CmdrTaco on 10:11 AM -- Tuesday December 30 2008
from the bet-wherrever-he's-going-he'll-have-electricity-and-heat dept.

The Fight Over NASA's Future
Posted by CmdrTaco on 08:15 AM -- Tuesday December 30 2008
from the still-no-power-at-my-house dept.

Storm Causes AT&T Outage Across Midwest
Posted by CmdrTaco on 08:55 AM -- Monday December 29 2008
from the guess-who-this-includes dept.

So he's without power and worse no internet at his home, aww poor CmdrTaco. Somebody please think of the slashdot editors! Anybody got a spare generator and fuel? ;)

Re:from the ... dept?

[MBCook]

Let's put up a poll to see what we can all do!

• I'll put Taco up at my place
• I'll donate some food
• I'll donate some fuel
• I'll donate some CPU time
• Taco is a big boy, he can help himself

Re:from the ... dept?

[Chelloveck]

Huh. Last I knew, Taco lived not too far from me (Dexter, MI). I hadn't heard of any persistent power outages around here, though we did have a nasty wind storm over the past couple days. Could be something as localized as the line that feeds his house. Or maybe...

Hey, Cmdr Taco! Go downstairs and check your breakers!

Re:from the ... dept?

[AmberBlackCat]

Just unblock Alexa. I doubt it will be as bad as Slashdotters think.

Re:from the ... dept?

[jeffmeden]

What's he doing at home, anyway? Go to work, you lazy git! They have power, heat, and internet there (if it's anything like where I work.)

Re:from the ... dept?

[TheoMurpse]

You forgot "Taco and CowboyNeal spoon for warmth"

Re:from the ... dept?

[geekmux]

So he's without power and worse no internet at his home, aww poor CmdrTaco. Somebody please think of the slashdot editors! Anybody got a spare generator and fuel? ;)

Ah, is it just me, or is anyone else wondering what magic uberg33k dust he's using to power his hardware and post these messages in what appears to be a massive power outage?

For a man looking for food and fuel, he sure does have a shitload warstock of fully-charged laptop batteries and solar-powered cable modems.

(Copyright 2008 Captain-Not-So-Obvious, Inc.)

Re:from the ... dept?

[Tubal-Cain]

Downstairs? Are there sub-basements where you live?

Re:from the ... dept?

[nutznboltz]

off by nine years

Rouge CA?

[Bert64]

The commies are creating their own CA!! PANIC!!!

Why trust the PKI?

[characterZer0]

Why does your bank not give you a compact disc with their public key on it when you sign up for an account?

Re:Why trust the PKI?

[nurb432]

Or a usb key :)

Re:Why trust the PKI?

[Nursie]

Sounds like a great plan to me. Plus have a "Use only my bank's CA" mode built into your browser so you know damn well it's them and nobody else.

Re:Why trust the PKI?

[Nursie]

Sorry to self reply but.... on top of that we should all switch away from MD5 anyway.

Re:Why trust the PKI?

[fastest+fascist]

Using that would probably be more hassle than your average user is willing to put up with. A bigger wtf is, in my opinion: Do so many banking services really rely on a single login/pass combo per user for authentication? When banking security comes up here, I see people worry about having their login+pass revealed, which makes me think that's the only verification their banks use.

My bank at least also uses a one-time pad system, namely a numbered list of 100 pre-generated codes. So I log in using a username and pass, and then to actually do something with the on-line banking system I'm asked to provide the code that relates to a randomly chosen number between 0000 and 0099. A code can only be used once. So basically if the phishing site manages to get hold of a few numbers from a user's passcode list, the chances are still pretty slim they'll be able to do anything with them.

Of course, if they scam hundreds of people, they will get a few successes, but not very many.

Re:Why trust the PKI?

[YouWantFriesWithThat]

shit, they could put the browser right on the usb drive and only allow online banking through their locked down browser on the drive.

Re:Why trust the PKI?

[plover]

Better yet, why don't they give you a smart card containing their certificate, your secret key, and provide your key encryption functions? The U.S. Army does something similar to this today -- their ID cards contain private keys for the personnel. (Unfortunately, adding the CA certificate needed to trust the card is a tedious process.)

Re:Why trust the PKI?

[wsanders]

Actually, if you look in your Firefox built-in CA's, Wells Fargo has a couple of entries in there. I don't know *how* they got in there, of whether they work, but it looks like some kind of experiment in that direction.

Of course I would propose it's probably easier to get a bogus version of Firefox with evil CA's in a lot of PCs, than successfully set up a rogue CA, but when there are billions on dollars at stake, who cares how difficult it is.

Re:Why trust the PKI?

[pete-classic]

That's fine for your one bank that you set up once.

I go to a lot of shows at small venues around town. Should I spend a couple of days driving around to all of them collecting their certs so I can buy tickets? (Maybe. Maybe once, maybe never.)

And where do I pick up my gmail certificate CD? And for my credit card company? (The one that doesn't have an office in my state.) And for my insurance company?

Oh, and I like to pay my cable, power, and cell phone bills on-line, too. So I guess I need to get CDs from them as well.

Oh, I also do my time sheets for work through a secure website. And I get my pay stubs through another. And manage my 401k through yet another.

I'm not so sure about your plan.

-Peter

Re:Why trust the PKI?

[Mister+Whirly]

All one would have to do after a user's login credentials have been obtained is to get thier phone number, pick up the phone, call them, and say
"This is Mr. Soandso from &BANK NAME&. We have had a recent error in the code cards and would like to verify that you have one of the ones that is not a problem. Could you read line &LINE NUMBER& to me so I can check to see if you have a valid code list?"

Sure it is a little extra effort, but not so much that nobody would attempt it.

Re:Why trust the PKI?

[MartinSchou]

How exactly does that protect against a man in the middle attack, where the MitM has an apparently valid certificate? He'll just post a mirror of their site, change your actions to ones that include moving money out of your account to one of theirs and pass along a request for a validation to you.

Re:Why trust the PKI?

[characterZer0]

People need to be trained. If somebody claiming to be your bank calls you, ask at which extension he can be reached from the number you have for your bank, and call back. Simple.

Re:Why trust the PKI?

[characterZer0]

And people need to be trained not to give out information. If he asked me to read him line X to see if it is correct, I would tell him to tell me what he thinks line X should be, and I will tell him if he is right.

It is simple: do not give out information that they should already have, except that which you already know is to be used for the purpose of identifying yourself to them.

Organizations need to deal with this though. I had somebody call me from my bank asking me about charges I had made. I asked for the extension to call back. The bank had outsourced the function, and could not tell me anything other than "somebody will call you claiming to be from us, and ask you for information." I hope they have gotten it straightened out, but I refused to play along.

Re:Why trust the PKI?

[fastest+fascist]

good point - my bank also uses the keycodes for verification over the phone when a customer calls them, so it's not a big stretch that they would call to ask about an "important issue" but say that first they need to verify you are who you say you are...

Re:Why trust the PKI?

[Mister+Whirly]

Very true. Studies have shown that people want to be helpful and will give up information they shouldn't. And all good crackers know to attack the weakest link in the security chain - the user. The most complex lock in the world will not help you if someone hands the keys over to the "bad guys".

Re:Why trust the PKI?

[blhack]

Our bank (chase) gave us a credit-card-sized device with an LCD on it.

It generates 8 (i think it is 8, I don't work in accounting) digit numbers that we need to put in when we log into their website to view checks and manage our account.

The numbers change every few minutes.
Is this similar to what you've got?

Re:Why trust the PKI?

[Amouth]

some places use them here .. they are normaly RSA keys and are 2-300$ each and are optional.. my bank doesn't use them.. but i know realestate agents that have to have them to open lock boxes on houses.. someone was a good sales man for that one.. and the banks jsut don't give a fuck.. if someone takes money out of my account it isn't their proplem as i'm the one that is short

Re:Why trust the PKI?

[Mister+Whirly]

I follow the same guidelines, but unfortunately, we are in the minority when it comes to things such as this.

Re:Why trust the PKI?

[fastest+fascist]

My bank just issues printed cards with a hundred keycodes on them.

Re:Why trust the PKI?

[Reece400]

I know, what if they just installed secured computers which allow exclusive access to their system, in various locations throughout the country so there was always one near by!

They could even install cash dispensing devices to allow you to withdraw funds from your account, maybe call them Automated Teller Machines or something along those lines. Wow, I should totally patent this idea

Re:Why trust the PKI?

[YouWantFriesWithThat]

well, i wouldn't care too much if they had a log of my username/pass if that wasn't the only credential needed to clean out my account. if there is a signed usb drive needed that will be pretty hard to clone with a keylogger.

Re:Why trust the PKI?

[c_g_hills]

I am a normal non-business customer of a bank in the UK and I have a reader supplied by the bank that generates either a one time code for identity, or a code based upon an account number used for securing money transfers (so you can tell that you are not being phished). In both cases, the chip card and pin are required in combination with the reader, making it a rather secure system.

Re:Why trust the PKI?

[Ndiin]

How does that help if you can't trust the site, though? That only adds trust on your end, not theirs.

Re:Why trust the PKI?

[mrstrano]

Oh yeah, also your Electric Company should give you one, your phone company and Paypal should send you one and EBay, Amazon.. Wait a minute. This would be a mess of CDs and usb keys. You know what, let's set up a single place accessible on line where all this certificates are stored.. Let's call it, Certification Authority :)

Re:Why trust the PKI?

[cbiltcliffe]

What makes you think the next keylogger trojan won't also make a copy of all USB drives (including volume serial number) upon insertion?

There goes your secure access......

Re:Why trust the PKI?

[Intron]

Fezzik, tear his arms off.
Oh, you mean this gate key.

Re:Why trust the PKI?

[horatio]

This is exactly what I do. When a bank or CC issuer calls (usually to verify a purchase) I call the number listed on the back of the card, not the number left in the message.

Re:Why trust the PKI?

[ion.simon.c]

Heh. I assume that *all* public computers are configured to copy any and all private key material on USB devices.

Re:Why trust the PKI?

[RazzleDazzle]

Why not just store all the banking data right on the USB drive itself and hand that out to every customer then you never have to even get online to check your accounts. Just think of it as a modern day sneaker net. Virtually no chance of MITM attacks or eavesdropping. I think this is an ingenious idea.

Now how do I patent this?

Re:Why trust the PKI?

[mlts]

I'd like to see banks print out their cert's SHA-512 hash onto printed material, and as stated above, have a mode in the browser to scream bloody murder if www.bank.com's cert is anything but the cert with the hash pre-entered.

Web browsers could also distribute a list of certs for major sites that are doublechecked to be actual certificates for that site, similar to how root certificates are maintained. One could even go to the next step of precaching the actual public keys on the Web browser so there is no chance of a site trying to inject a bogus key for a known site. Of course, there are weaknesses in this... SSL certs expire and too many precached certs would add a lot of bloat, similar to including a huge /etc/hosts file rather than using DNS.

Re:Why trust the PKI?

[dwandy]

so part of the "training" is that financial institutions don't leave a number. They instruct you to look on the back of your card. Just like all banks will tell you they don't send e-mail, and that any e-mail isn't from them, they would start to educate: we don't leave a call-back number.

Part of the problem (imho) is that there isn't enough rea$on for these companies to fix the underlying problems.

Re:Why trust the PKI?

[u38cg]

That's very good practice. However, for as long as banks continue making outbound calls without verifying themselves to their customers, it won't work, because end users are used to receiving such calls.

Re:Why trust the PKI?

[Nursie]

Because then the browser needs to keep track of every certificate from every site it's been to, which is a pain and unreliable when people like to flush that sort of data.

Or would you propose having a "this site is super important and I'm pretty sure I'm not under attack at this moment" button?

Not bad, but I prefer my way :)

Re:Why trust the PKI?

[jonbryce]

In Britain, Royal Bank of Scotland, Barclays and Nationwide have a challenge response system where you have to put your ATM card in a handheld reader, enter your pin and a number supplied by the website, and type the number from the reader into the webpage to continue. Bank of Scotland send a number by SMS to your cellphone which you have to type into the webpage to continue. Lloyds and Abbey don't do anything, and for some reason, they get the vast majority of the phishing attacks in this country.

Re:Why trust the PKI?

[jonbryce]

I guess the attack would take the form of

You log into a fake website. The phisher uses the same details to log into the real website.

You ask to transfer some money. The phisher asks to transfer money to a different place. The phisher passes on the challenge response details it gets to you, you complete it and give it to the phisher. The phisher can then transfer the money to his "money transfer agent" for onward payment to himself.

Re:Why trust the PKI?

[cbiltcliffe]

Me, too. But FryGuy seems to think that it will prevent any and all problems, which it obviously won't.

Re:Why trust the PKI?

[badkarmadayaccount]

Because those are totally safe...

Re:Why trust the PKI?

[Reece400]

Really, what is in the information age. On the other hand I'd trust an ATM over a public PC any day...

Still using MD5 for this ?

[Yvanhoe]

These certificates are at the basis of truth on secure websites. MD5 has been known to have vulnerabilities for a loooong time (2004 according to the link article). Why do not banking services keep up to date with the state of the art crypto ?

Re:Still using MD5 for this ?

From what I understood from the talk, banks do not - they use SHA1. However, about a third of all CA-signed certificates that Firefox trusts has MD5 signatures.

The cool thing is that once you have a rogue CA certificate, you can sign your bank phishing site with a SHA1 signature. This was apparently made harder to detect due to CA:s signing their own certificates with MD5 signatures, which means that if you only check for MD5 signatures in the actual certificate, it's trivial to get passed you, and if you check for MD5 signatures in the whole certification chain, you'd mostly get false positives.

Re:Still using MD5 for this ?

[Opportunist]

Implementing something more secure costs X, cost of fraud is Y, change when Y exceeds X, until then, leave everything untouched.

That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing. I've tried. More than one way.

Telling them won't change a thing. Magazines and newspapers don't report it because they don't want to risk those multi-page bank ads. What's left besides breaking the law and using the exploits to make a point?

Re:Still using MD5 for this ?

[Yvanhoe]

Well I understand that as long as the cost of repairing the flaw is higher than the cost of the flaw, doing nothing is the most logical choice. However, I fail to understand how, in the Internet as it is today, with spambots widespread, with virus factories that take only one hour to transform a patch from Microsoft into an automated exploit, a flaw like this could cost less than a its fix. For Kibo's sake! It's a trivial upgrade at a protocol (MD5->SHA-1 or SHA-2) ! If done with one year of delay (2005) they would have had 3 years to upgrade their equipments and websites before the flaw hit CCC. Now it is only a matter of hours before the first million dollars goes down the drain because of this.

Re:Still using MD5 for this ?

[Opportunist]

It's anything but trivial for a bank. Yes, the technical side is trivial. It's the bureaucracy that weighs it down. Banks need approval for pretty much any change in their processes, often internationally. Other things have to be coordinated. And all that costs a ton of money. It's not as easy as it seems.

It took me a while, too, to realize that the implementation itself is most of the time only a secondary concern when it comes to whether a change can take place in the financial world.

Re:Still using MD5 for this ?

[kasperd]

That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing.

Banks have no part in this. The parties at fault are the CAs for using MD5, and the browsers for supporting MD5 as well as trusting CAs that use it. A bank cannot do anything about this attack. Even if the bank choose a CA which is using secure algorithms it won't help. The attacker don't have to use the same CA as the bank, in this study they explain how they found which CA would be the easiest target.

What you can do as a user is to actually look on the certificate chain. Whenever I am using online banking, I always look on the certificate chain at the beginning of each session before I log in. Seems that practice is not paranoia after all. (I also quit the browser before starting, check for security updates, and then start the browser and use a bookmark to go to the login page. I visit no other sites while doing the online banking, and when done I quit the browser and start over before accessing any other sites).

allyourcaarebelongtous

[sleekware]

All Your CA Are Belong To Us

its only the CA's that use MD5 so the question is.

[johnjones]

some CA's use MD5 the question really should be which ones

they point to a rather doomsday scenario of having a problem with all SSL Certificate Authorities

this is not the case

only the ones that use MD5

so the question really is what is the list of SSL Certificate Authorities that do this ?

regards

John Jones

http://www.johnjones.me.uk

Re:ROGUE not ROUGE

[MightyYar]

There's no way he'd fit in there. It would have to be at least... 3 times as big.

No weakness

[GigsVT]

It's important to note that this sort of collision is not taking advantage of any of the known weaknesses in MD5, rather it's brute force.

This is just to head off the inevitable screaming of "MD5 is broken for everything anyway!!!".

Re:No weakness

What? It's absolutely a weakness in MD5 that collisions are possible to find. These guys pushed that a little further by finding a controlled collision within a smallish time window. While the attack does require some computation, it is not "brute force" in the sense that it would not work (in a practical amount of time) against an otherwise secure 128-bit hash, but rather exploits MD5s known weaknesses.

Re:No weakness

[JakusMinimus]

Firstly, from this article:

The attack is based on known weaknesses in the cryptographic hash function known as MD5. In 2004, researchers from China showed it was possible to generate the same MD5 fingerprint for two different messages using off-the-shelf computer hardware. Three years later, a separate group of researchers - many who participated in Tuesday's presentation in Berlin - built off of those findings by showing how to have almost complete freedom in the choice of both messages.

Maybe I am missing some precision thrust of meaning with your choice of words but my understanding is that the researchers utilized brute force to readily take advantage of a known weakness of MD5. No, it is not broken for everything, but it is most definitively broken for use within the PKI infrastructure (signing certificates).

Re:No weakness

[plover]

Brute force? Not according to TFA:

In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of our sophisticated and highly optimized method for computing MD5 collisions.

It says they compute collisions, which is indeed a weakness in MD5. Even if they use brute force, the fact that it's forceable is still a weakness.

Now, MD5 still probably makes for a pretty good checksum for utilities like Tripwire and such, but for security it's broken, broken, broken.

Re:No weakness

[Opportunist]

Brute force isn't so terribly time consuming when you have a botnet of current PCs at your disposal that can start crunching...

Re:No weakness

[moderatorrater]

This is just to head off the inevitable screaming of "MD5 is broken for everything anyway!!!".

Why head that off when it's a perfectly valid criticism? MD5's been out of date for a few years now and it's been broken for nearly that long. Using MD5 eliminates the CA's credibility.

Re:No weakness

[blueg3]

Since MD5 is 128 bits, if computing a collision takes on the order of 2^128 attempts, it is indeed brute force and is not a weakness of MD5 at all. A weakness is a property that allows you to perform some undesirable action -- say, compute a collision -- faster than absolute brute force.

Re:No weakness

[Just+Some+Guy]

Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

That's what I thought he was saying at first, but it's not. For an n-bit hash, the birthday paradox says you'll need to try an average of (n/2) bits to find a hit. The problem with MD5 is that you can find collisions in much fewer than 2^64 attempts. So sayeth Wikipedia:

On 18 March 2006, Klima published an algorithm[9] that can find a collision within one minute on a single notebook computer, using a method he calls tunneling.

So yes, all fixed-length hashes will have an infinite number of collisions. It's just that some hash algorithms make it a whole lot easier to find some of them.

Re:No weakness

[owlstead]

(1) Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

(2) Or is your point that hashes shouldn't be used at all? (3) If so, what should be used?

(1) Of course there are collisions. The idea about secure hash methods is that it should be impossible to find one. If you brute force a perfect hash, you will have to look to at least 2^(N/2) hashes (in general, or you must be lucky to the extreme, approximately the same amount of luckiness :P ). MD5 is broken in this regard, for certain situations, such as the one in the article.

(2) No, this doesn't seem to be the case. He just - correctly - pointed out to GigsVT that this is not a brute force attack. This can easily be extracted from the paper.

(3) SHA-2 is rather secure, there is no vulnerability other then the fact that it looks too much like SHA-1 to be completely care-free. And there is probably a reason for the SHA-3 competition. There are also people that think any hashing method that is build using Merkle-Damgård is unsafe. There is yet no solution against those (theoretical) problems.

No answer was needed for (3) because (2) was already wrong, but I've added it as a bonus.

Re:No weakness

[tietokone-olmi]

At least as long as the input data, anyway. And then they might be reversible, which is just as big a problem.

So yes, cryptographic hashing is a game of tradeoffs. What isn't?

Re:No weakness

[SanityInAnarchy]

Actually, yes it is. You just need a strong enough cipher.

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

Botnets do change some things, but they don't change basic mathematics.

Re:No weakness

[amorsen]

If computing a collision takes on the order of 2^128 attempts, it won't happen. Anyway, you can make a collision of a 128-bit hash in 2^64 attempts, but even that is out of the reach for most people. Unfortunately you can generate collisions for MD5 much much faster than 2^64 operations.

Re:No weakness

[blueg3]

It depends on if you are trying to produce two strings with the same hash or trying to produce one string with a predetermined hash. The former can be done faster, but is not brute force. (This is "the weakness" of MD5.) The latter still can only be brute-forced.

Re:No weakness

[plover]

Again, RTFA. They start by acquiring a legitimate certificate with an MD5 hash signed by a trusted root authority. They then create a new certificate of their own that produces the same signature as the one the certificate was assigned. That is the latter of your choices that you claim can only be brute forced, and it is the approach they claim to have optimized. To optimize "brute force" means they must be taking advantage of some weakness in MD5.

Re:No weakness

[bwcbwc]

The basic math is that in order to prevent hash collisions you need a one to one mapping from the input domain to the hash range. In other words, a unique hash value for every input value. Technically, it isn't a true one-to-one mapping, because there could be extra unused values in the hash range that aren't mapped from the input values, but unused values in the hash space translate into wasted memory storing unneeded bits. A one-to-one mapping is the most efficient possible mapping.

In the case of an arbitrary/random data sequence of finite length, the number of possible values of the input space is 2^n where n is the number of bits in the input.

In order to support this number of variations of the input, the length of the hash must be the same number of bits (or greater). The hash needs to establish a one-to-one mapping of potential inputs to potential outputs.

As an example, if your input data consists of 8 bits with no restrictions on the value of any given bit, you have 2^8 possible bit combinations (the full ASCII table, for example) that must be mapped into the hash. In order to successfully map that many different permutations of input, you need an 8-bit hash. If you only have a 6 bit hash, you are trying to map 2^8 (256) possible input values values into an output space that contains only 2^6 (64) values, so either some values in the domain are not mapped into the range (invalid hash/hash failure) or else there are values in the output range that are reached from multiple inputs (hash collisions).

Now a purely arbitrary or random input sequence is not the only possible condition for hashed data. If an input data sequence can be compressed losslessly due to correlation between input values or because some sequence combinations are prohibited, the hash can be shorter than the input string (but not shorter than the best possible compressed version of the string). Again, this boils down to the basic math of one-to-one mappings and permutations of n bits of data. If data is losslessly compressible, that means a one to one mapping can be created from the uncompressed data to the compressed version. One to one mappings are transitive, so you can create a perfect hash of the compressed data without data loss (or hash collision).

Re:No weakness

[sjames]

Brute force? Not according to TFA:

Brutish force perhaps :-) For some time, we have known that MD5 had a weakness that can be used to reduce the size of the problem, but then brute force must be applied to that smaller search space. They either got quite lucky or did a really good job of optimizing the porocess.

Of course, since a rogue CA cert is an extremely high value target for a criminal organization (and they have millions of distributed processing nodes available to them), it's likely that someone either is or will try it for less pure purposes.

The solution will be 'interesting'. Essentially, the prudent move is to mark all CAs using RSA and every cert they have signed as untrusted. Any holder of one of those certs will have to get a new one from somewhere else.

Re:No weakness

[harlows_monkeys]

It's important to note that this sort of collision is not taking advantage of any of the known weaknesses in MD5, rather it's brute force

Wrong. Finding collisions in MD5 by brute force takes around 2^64 attempts (basically, a birthday attack), and is safe from all but those with huge computing resources. The current methods being used for finding collisions are several orders of magnitude faster than that, and only require minutes on a typical PC.

Re:No weakness

[blueg3]

You really should read the original paper -- or have some understanding of developments in cryptography. They "generated" two certificates with identical MD5 hashes and got a CA to produce an MD5-only signature for the one. Since the hashes are the same, the signature's good for both. This absolutely requires being able to manipulate both certificates.

They don't actually produce the first certificate themselves -- the CA does. However, the CA they chose generates the cert automatically from data they provide in a highly predictable fashion, which allows them to, in practice, supply the cert to be signed.

This, incidentally, is terrible cryptographic practice -- performing functions like signature generation or encryption on arbitrarily-supplied data automatically, as it is a requirement for many attacks. If the CA introduced 128 bits of unpredictable entropy into each issued cert, their method would be completely worthless, even with the insecurity of MD5, because guessing the added message entropy is too difficult.

Re:No weakness

[plover]

That makes a lot more sense now, thanks for having the patience to explain it to me. I kept trusting the linked page and the illustrations which implied the new cert was a pure derivation from the cert they purchased.

Re:No weakness

[blueg3]

Yeah, I glanced over their paper again to see if there was something convenient to quote. If you're not familiar with existing MD5 attacks, the abstract is not too clear on this point.

Re:No weakness

[dachshund]

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

You've neglected to mention: a significant advance in the mathematics behind factoring and/or solving the RSA problem itself. There's been an impressive amount of work in this direction overthe past 20 years, so it's not ridiculous to imagine further advancements in sub-exponential factoring algorithms.

Fortunately, if such an advance does take place we'll probably hear about it well before the botnets have a chance to take advantage of it (on the other hand, we've had plenty of warning about collisions in MD5, and that didn't help RapidSSL).

Re:No weakness

[jd]

A "perfect" cryptographic hash must meet three criteria:

a) The best herustic for determining an input which will produce the same hash as a specific target input will require as many steps on average as brute-forcing. (ie: the probability of getting a collision is the same whether you are using a programmatic solution or guessing.)

b) If inputs A, A' and A'' produce the same output, where A and A' are known, the best herustic for determining A'' will remain no better than one that brute-forces.

c) If inputs A and A' produce the same output as each other, inputs B and B' likewise produce the same output as each other, and so on for some statistically-significant number of distinct outputs, the outputs will follow a random distribution.

In other words, the apparent strength of the hash is the actual strength of the hash, no matter how much information has been obtained (either by analysis or by chance). There are two "obvious" properties which are necessary but not in themselves sufficient to produce those criteria. These properties are:

a) The change in output in relation to a given change in input will follow a random distribution.

b) Where the change in input is a fixed increment of any kind, neither the output nor the change in output nor any other order differential may be constant or cycle as a whole (though unpredictable repeats are a requirement of randomness), no matter what the period of that cycle would be.

These properties are common to almost all systems that are sensitive to initial conditions, which is why some of the more elaborate hashing schemes use well-understood chaotic systems rather than trying to mess around with the underlying cryptographic theory. If you know the system is deterministic (ie: for identical input it must produce identical output) but is non-predictable (ie: there exists no method whatsoever for figuring out the output - or even guessing the range it might fall in, other than the entire allowable range - for a given input except to perform the operation) then predicting a collision should be impossible. In practice, chaotic systems aren't the easiest of beasts to work with when you want fixed-length hashes and you want them yesterday. You could produce extremely strong cryptographic hashes chaotically if you don't mind waiting a day or two for each one.

In practice, no cryptographic hash will be totally "perfect", it can only be approximate. And the faster it needs to be, the more shortcuts you need to take, so the less perfect it can be even in theory. This is one reason there is some commentary on the SHA3 mailing list on whether speed should be as emphasized in the current test as the criteria suggest - that maybe NIST should relax that a little and get something stronger. Weaknesses in MD4, MD5 and even IPSec have been pointed out in respect to an overemphasis on speed in the past. Not sure on how far you could go with that, but the very impressive speedups achieved on the posted hashes suggests that the speed of the algorithm is a non-issue, that there are so many avenues for making the code faster that you can disregard that side of things almost entirely. At least for this contest. The better choice may well end up being the stronger choice, no matter what the relative performance of the reference implementations.

Re:No weakness

[julesh]

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

AIUI, that's only true if P != NP, which is assumed but not proven.

No one should be surprised.

[gandhi_2]

The fact has always been that MD5 collisions can be calculated with rainbow tables for all sorts of reasons... Why weren't all CA's using SHA-1? It's trivial enough with the openssl from apt-get.

Re:No one should be surprised.

[blueg3]

You have no clue what you're talking about. Rainbow tables are only useful for small inputs, and work regardless of the hashing function.

MD5 collisions have been computable, but it's only really reasonable to produce two strings with the same MD5 hash -- not to produce a single string with a given MD5 hash.

Re:No one should be surprised.

[starfishsystems]

As SHA-1 is somewhat weak also, use the SHA-2 family, for example SHA-256 or longer instead.

Be sure to test the resulting cert infrastructure before deploying it. I (vaguely) recall a couple of years ago that OpenSSL lets you specify some legal hash names which it verifies just fine, but browsers such as Firefox may obscurely fail to recognize them when verifying the certificate chain.

Re:No one should be surprised.

[kasperd]

but it's only really reasonable to produce two strings with the same MD5 hash

Strictly speaking you can produce multiple strings with the same MD5 hash. I think the 2007 attack actually demonstrated 10 or more choosen prefixes leading to the same hash, they just had to add more garbage to the end.

not to produce a single string with a given MD5 hash.

Correct, that is still not feasible. And I don't see any indication that it is going to be any time soon.

CA's using MD5

[xaosflux]

FTA, the following common CA's are still using MD5.

RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1

FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications

TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de

RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Re:CA's using MD5

[McNihil]

I guess one could do this too

grep -A 1 md5WithRSAEncryption /etc/pki/tls/certs/ca-bundle.crt |grep "CN"|awk -F "CN=" {'print $2'}

which yields the following

GTE CyberTrust Root
GTE CyberTrust Global Root
Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
Thawte Server CA/emailAddress=server-certs@thawte.com
Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Entrust.net Client Certification Authority
Equifax Secure Global eBusiness CA-1
Equifax Secure eBusiness CA-1
Thawte Timestamping CA
Entrust.net Secure Server Certification Authority
Entrust.net Client Certification Authority
IPS SERVIDORES/emailAddress=ips@mail.ips.es
NetLock Kozjegyzoi (Class A) Tanusitvanykiado
NetLock Uzleti (Class B) Tanusitvanykiado
NetLock Expressz (Class C) Tanusitvanykiado
Free SSL Certification Authority/emailAddress=admin@startcom.org

Can someone double check?

Re:CA's using MD5

[Tony+Hoyle]

Find these in the browser and delete them.

*No* certificate issued by these providers is secure. If your bank uses them, then tough.. your bank has a problem and they should have bought their certificate from a competent provider.

Re:CA's using MD5

[blueg3]

No, it needs to be a CA that is issuing certificates with MD5, not a CA whose certificate is signed by MD5. With this attack, already-created certificates are not vulnerable.

Re:its only the CA's that use MD5 so the question

[gclef]

It's in their slides. As of 2008, there were some big names still using MD-5:

RapidSSL
FreeSSL
TrustCenter
RSA Data Security (!)
Thawte (!)
verisign.co.jp

Possible solution?

[marcopo]

I'm not familiar with the details of certificate use, but as far as the cryptologic component there seems to be a reasonable fix, that will not require any change from end-users or invalidate existing certificates (apart from changing the hash).

The attack is based on finding a hash collision between certificates A and B, having the CA signing A, and using the signature for B. If the CA were to make a small change to A before signing it the attack would be foiled, since it requires active participation from the CA.

Suppose the CA started to add a few random bits to each certificate before signing it. The applicant is told what these bits are, so that they can use the signed (modified) certificate to verify themselves to users. With just a few extra bits this would make the attack unfeasible. Does this make sense?

Re:Possible solution?

[Kz]

those 'extra bits' are called 'salt', and this scheme is widely used with 'shared secret' validations; but won't work here.

using your words: the applicant doesn't know A, so can't apply the extra bits to verify.

Re:Possible solution?

[PAjamian]

Very true, in fact there are currently two factors in control of the CA, the certificate validity period (with a resolution of 1 second) and the serial number. The attackers were able to reasonably predict both with RapidSSL due to the fact that they use sequential serial numbers. If the CA were to simply change to random serial numbers then this attack would be foiled.

That said, the best way to deal with this is to simply stop using md5 to sign the certs and use sha-1 instead.

Re:rogue not

[cbiltcliffe]

No, no, no. The 'rouge' is referring to the face colour and embarrassment of the legit CAs when it turns out that they're issuing SSL certs to www.we-will-hack-you-good.com

The sky is not falling.

[viega]

A lot of people in the twitterverse seem to think otherwise, but this is not a major breakage of the Internet. See my commentary at O'Reilly: http://broadcast.oreilly.com/2008/12/the-sky-is-not-falling-on-toda.html

Re:The sky is not falling.

[viega]

Read the article carefully. Just because something is signed by MD5 doesn't make it broken. Signing future things with MD5 without proper randomization is bad, but I don't expect anyone other than the third tier CAs to do that kind of thing after this. I will also say that the attack will leave a pretty distinctive signature in CA logs. Plus, nobody would say "revoke Thawte's cert retroactively", but it should probably not be used anymore, and no CA certs issued with it should be accepted anymore. In fact, those issued over the last year, Thawte should publish which ones it issued separately. If browsers respected that list (a one-time thing), it would close the remaining hole (for Thawte... each CA affected would need to do the same thing).

Re:The sky is not falling.

[Tony+Hoyle]

"Therefore, the only certificates that are problems are ones where someone has already launched this attack. We know it's happened once, but that list is probably pretty small. And, there's a good shot that the bad guys haven't done it at all."

He's wrong, and has completely failed to understand the significance of this. He seems to think that it requires the CA to sign these certificates or something.

As long as there are *any* MD5 CA certificates in the browser then the bad guys can duplicate it and generate valid certificates for *any site on the internet* - including your bank. Man in the middle attacks just got a hell of a lot easier. Phishing attacks just got a hell of a lot easier.

Vulnerable CAs include Thawte and RSA, which means this is pretty damned big.

Re:The sky is not falling.

[Tony+Hoyle]

You still seem to think the CA is involved in this. Read how the attack is done. They generate a certificate with the same MD5 as an existing CA certificate. This allows them to issue certificates as if they were signed by the CA *without the CA having any knowledge*.

It is now impossible to trust any certificate signed by CAs using MD5. If that includes thawte then tough - they're going to have to reissue all their certificates.. they should have thought of security instead of trying to cut corners.

Re:The sky is not falling.

[viega]

You're wrong. Read the attack author's write-up here: http://www.win.tue.nl/hashclash/rogue-ca/ You will see that they absolutely need to get the CA to endorse the data they produce. They come up with two certificates in advance that, under the right conditions, will both validate when one of them is signed via MD5. That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies.

Re:The sky is not falling.

[viega]

No, you misunderstand their attack. A CA definitely needs to be involved. You trick them into signing a web site cert, but then that signature can be pasted on to your other cert, which is a CA cert. You thus mint your OWN CA cert that a Thawte or whoever has accidentally endorsed, due to the collision you have generated. Note that this dependency on an existing valid CA is why there is a long section about how to anticipate the CA's serial numbers and validity periods.

Re:The sky is not falling.

[Simon+(S2)]

I think in your article you got this wrong. "That kind of attack doesn't seem like it's going to be practical in the next few years, though we should expect it will be possible sooner than later (developers: stop using MD5. Switch to something in the SHA family)."
The CCC guys already created a CA cert with which they can sign any cert for any host they want. That cert, signed by that forged CA cert, will look legitimate to the client browser, because it looks like it is signed by a trusted CA. So, yes: the sky is falling.

Re:The sky is not falling.

[viega]

I was talking about finding a new cert where the signature matches any arbitrary web site cert. That is, you can't take Citibank's cert and produce a new cert that says citibank that also has the same signature. I was mentioning this because most people seem to think that this is what the attack involves. The actual attack involves getting your own rogue CA by tricking an existing CA that signs using MD5 to sign a carefully crafted certificate. The actual attack does indeed work. It's been assumed this was approaching possible for a while, which is why most CAs long since moved to abandon MD5.

Re:The sky is not falling.

[viega]

That's an entirely different thing. If you look at my article, I do explain this. But you can easily revoke them all by revoking the rogue CA's credentials. And, once the hole is plugged at the few CAs signing w/ MD5, that is all you have to do (tho it is best done in the browser, not through CRLs or OCSP). The Internet is not going to die. This is not a big deal.

Re:The sky is not falling.

[pegr]

"That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies."

No, but I can bogotize a signing cert and use it to sign another arbitrary cert for any site name I please. What's the diff?

Re:The sky is not falling.

[Simon+(S2)]

I was talking about finding a new cert where the signature matches any arbitrary web site cert. That is, you can't take Citibank's cert and produce a new cert that says citibank that also has the same signature. I was mentioning this because most people seem to think that this is what the attack involves.

But that is not th case in this attack. You don't need to create a cert that hase the same signature, just a cert for the same host signed by a trusted CA (and that is much worse). Anyway, you got the attack wrong. I think you may have understood that by now.

Re:The sky is not falling.

[SanityInAnarchy]

Here's a question: Why would a CA add randomization, instead of forcing at least SHA1?

Re:The sky is not falling.

[Gothmolly]

Your use of the word 'twitterverse' marks you as a complete douchebag.

Re:The sky is not falling.

[viega]

Actually, they should do both. Whether true or not, I have visions of the CA being written by one guy n years ago, and it's been on autopilot ever since. I can imagine that he's got a hardcoded 16 byte value somewhere, and it's easier for him to randomize a sequence number than to make sure he got hardcoded values right across his code base. If it were me, I'd have abandoned MD5 in 2004, when most other people did. But, with a large random value, it is a "good enough" solution until MD5 is fully broken. I'm not sure which will happen first, a full break on MD5, or the same kind of collision attack on SHA1 that the researchers used here. I actually suspect the answer is that SHA1 is more vulnerable to this kind of attack than MD5 is to a full break. SHA1 has the same structural weaknesses. The only thing saving it is the bit length. As the complexity of this attack on MD5 comes down from brute force (O(2^64)) we can expect it's coming down on SHA1 as well. Maybe this same kind of attack is feasible given a year of time on a much bigger cluster, or something like that. Yes, people here are going to misread this to think I mean MD5 is stronger than SHA1 (which it certainly isn't), but that's slashdot for you.

Re:The sky is not falling.

[viega]

There are lots of differences. The important one is the impact for dealing with the problem. If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money. With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates. Most web site certs out there today that were signed by MD5 are perfectly fine (probably through their entire validity period), and there is no need to incur the cost to have people replace them.

Re:The sky is not falling.

[viega]

I think you either didn't read my writeup at all, or didn't understand it. But, I most certainly got it right. Ask any other cryptographer out there. Or, just read the researchers write-up carefully. It is very clear.

From what I understand from your posts, you're saying I don't need to create two certs with the same hash, I "just" need to create a new cert that matches an existing web site's cert. That's not true, and some intuition should demonstrate it. If you understand the birthday paradox, it says that, with brute force for MD5 (that is, if we assume MD5 is perfect), my explanation (remember, brute force), would be O(2^64) to attack. Yours would be O(2^128). Now, if someone has tricks to do better than brute force, perhaps they'd work in your context but not mine, or vice versa. Or, more likely, any structural weaknesses in MD5 are likely to have implications for both kinds of attack. Now, since O(2^64) was already near the border of feasibility, while O(2^128) was very far from it, which kind of attack was likely to become more practical first?

The whole point of my post on O'Reilly was that people do seem to think the research in question represents the scenario you're talking about. If that were the case, we would indeed have to quickly stop allowing even legacy MD5 certificates, which would be a little painful. But, that is absolutely not the case. If the few risky CAs deal with the problem quickly, this will be a huge non-event.

Re:The sky is not falling.

[pegr]

"If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money."

And that is exactly the situation. Thanks for putting it so well. Actually, it's bigger than that, since I can fake any cert (with my magic bogotized signing cert).

"With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates."

Could you explain this to me please? I have a fake signing cert. I use it to make other certs for any site I please. You can't blacklist the cert, because it's apparently "signed" by a trusted CA. You would have to remove any trusted CA that uses MD5 to sign certs. They've already been identified. How likely is Microsoft to push "Updated Root Cert" patch to Windows users, effectively removing the value of all certs from:

RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Until this issue hits enough people to come up on their radar, everyone is vulnerable to MitM attacks. When it does hit the radar, there will be massive finger-pointing, and victims will be screwed.

The root of the problem is this: Certs are about trust. Microsoft trusts those that are untrustworthy. I am forced to assume the risk of Microsoft's trust decisions. I therefore do not trust Microsoft. Lesson: You can't trust anyone who doesn't have skin in the game.

Two sidenotes: This issue applies to all browser vendors, not just MS. And Jesus H. Tap Dancing Christ, what the F is RSA doing on that list?

Re:The sky is not falling.

[viega]

There's some confusion here. I'll try to clear it up. Let's imagine that you've got FredCA that got its CA credentials from Verisign. Let's say FredCA is perfectly legitimate. That means that they have a cert with a signature on it from Verisign. Let's say that Citibank wants to get a leigitimate certificate and they go to FredCA. The certificate they get back is signed by FredCA.

When your browser goes to Citibank, it gets to see the entire certificate chain (the server sends back a PKCS blob of the entire chain). It validates not only that the Citibank cert was signed by FredCA, but it also validates the signature on FredCA's certificate. If it trusts Verisign, then it makes sure that the certificate is definitely one it knows maps to verisign, and then everything is trusted.

A lot of people here seem to believe that the attack is that a bad guy can take the cert that FredCA endorsed for CitiBank or the cert that Verisign endorsed for FredCA (as long as the signature uses MD5), and steal the signature for their own certificate. If that were true, then we could not trust any certificate signed by MD5. Good thing that most certs have been issued via SHA1 for a while.

But, that is not true. In this attack, the bad guy can generate a pair of certificates, one that the CA signs, and another for which the same signature happens to be valid. You cannot do this to any cert on the internet, the pair of certificates have to be specially crafted.

In this attack, the bad guy gets FredCA to sign a certificate for DummyOrg, but when the bad guy created the DummyOrg cert, he created a matching cert for his own CA, call it EvilCA. Since the certs were created together in a particular way, the bad guy can take the signature off the DummyOrg cert and paste it onto the EvilCA cert and everything will work.

With the EvilCA cert, he can create certificates that claim to be from any site on the internet, even though they are not. When they get to the browser, the browser looks at the whole chain, and it looks good, even though FredCA never signed the EvilCA certificate. However, once we blacklist the signature for the DummyOrg cert, we will immediately blacklist everything endorsed by EvilCA, because when a browser goes to validate the whole chain, they'll see that the certs are issued by a blacklisted CA, and thus would know that the certificate is fake.

Also, note that there's a good reason to believe this hole will be closed well before any bad guys actually try the attack. At most, the world will have to blacklist a small handful of rogue CA certs.

Additionally, for the CAs other than RapidSSL, it's not clear they can be attacked easily. As far as I know, they all usually sign with SHA1. I don't know how you would get them to choose MD5, but I suspect none of them will do it anymore after this. And, even if they did, you would need to know how to predict their sequence number and the date values they add to the certificate. With RapidSSL that was all automated and very predictable. It could be with the other CAs, but it isn't necessarily the case.

Hope this helps.

Re:The sky is not falling.

[pegr]

So how might you blacklist a cert you've never seen? Only victims see it. And if you see it, you're already a victim. Add to this that any number of bogo-signing certs can be made, sitting in reserve, ready to pull out whenever one fails. No, the only confusion here is yours.

Best defense: "How to Remove a Root Certificate from the Trusted Root Store". Remove the RapidSSL cert, and any others that you have reason to mistrust.

Secondarily, hope no crap falls on you when someone you know gets hit.

Re:The sky is not falling.

[SanityInAnarchy]

Maybe this same kind of attack is feasible given a year of time on a much bigger cluster, or something like that.

Only if it scales linearly. Remember, DES is trivially cracked, but triple-DES is still secure (last I checked).

Re:The sky is not falling.

[viega]

The relative security between MD5 and SHA1 is currently more or less linear to the digest size, though more work has been done on practical applications on MD5, so it is a little weaker relatively. For cases where the birthday paradox applies, you lose 1/2 your bit length in the brute force case.

Re:The sky is not falling.

[viega]

For most people, this will put them at MORE risk than selectively blacklisting rogue certs as they are identified:

1. It is very likely that no bad guys will ever get a chance to use this attack. For them to use the next MD5 attack they would need to be able to predict a sequence number several months in advance, instead of several days.
2. Any attack of this type will be pretty obvious from the CA's logs. CAs that sign with MD5 will need to invest some man power in manual validation, but this is not a huge cost. This is how you find the unknown certs, if there are any (which is highly likely).
3. Since many legitimate web sites use SSL/TLS certs from RapidSSL, taking your advice for remediation will just give them pop-ups on some legitimate sites, which is likely to desensitize them. When people get enough pop-ups for stuff that isn't a risk, it's well known that they start just clicking through, so this would put the average person more at risk.

Re:The sky is not falling.

[Ararat]

"And Jesus H. Tap Dancing Christ, what
the F is RSA doing on that list?

Getting smeared! (sigh)

The CA identified by Sotirov et al as owned by "RSA Data Security" was actually RSA's original "Secure Server Certification Authority." It was legally transferred from RSADSI to VeriSign back in 1995, when RSA spun off VeriSign as an independent entity. (Apparently the designated names of root CA can't be changed while they are operational.)

RSA, now part of EMC, still runs two root CA, both of which use SHA1 digests.

This is an all-VeriSign show. All the CAs listed as potentially vulnerable to a MD5 collision attack are owned or controlled by VeriSign.

PS3 power

[d3l33t]

interestingly enough they used playstations to do so

A nice piece of work

[Animats]

That's a nice piece of work. I'm very impressed.

Practical conclusions:

• The weakest trusted CA in the world compromises the entire public key infrastructure. What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.
• MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.
• It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.
• RapidSSL and FreeSSL seem to be the current weakest points in the system. "Out of the 30,000 certificates we collected, about 9,000 were signed using MD5, and 97% of those were issued by RapidSSL." Worse, those two issuers issue certs with ascending non-random serial numbers, so that, with careful timing, they can be induced to issue a cert with a known bit pattern, which is required for this attack. Probably, RapidSSL and FreeSSL's trusted root cert should be pulled from IE and Netscape, and all certs from those sources re-issued using SHA-2 hashes.
• I don't think the RapidSSL and FreeSSL root certs are EV-enabled, so this specific attack probably can't be used to generate phony Extended Validation certs. Also, the EV standards require SHA-2 or better hashing, not MD5, which is more of a legacy hash algorithm. So the EV cert world is probably still secure.

Re:A nice piece of work

EV requires SHA-1, not SHA-2, but you're right that EV is an effective mitigation. Not all devices (e.g. phones) support SHA-2 yet but all support SHA-1.

The number of certs issued isn't very relevent; this isn't a second pre-image attack. So, RapidSSL/FreeSSL simply need to stop issuing MD5-signed certs.

Re:A nice piece of work

[gatekeep]

"The weakest trusted CA in the world compromises the entire public key infrastructure."

That's a slight overstatement. It compromises the entire public key infrastructure for which that CA is the root of trust.

If you removed all MD5-enabled CAs from your trusted roots list, you remove the potential of being fooled by a forged cert. Certs issued by other CAs, unaffected by the brute-force MD5 collisons, remain as trustworthy as they ever were.

Granted, for most people the chain of trust ties back to the default CAs that ship with their browser, and if any of those CAs is vulnerable, your faith in any cert validated as 'trusted' by your browser goes down, and most people don't bother looking at what CA issued the cert so long as their browser deems it trustworthy, but it's a little more nuanced that 'compromises the entire PKI infrastructure.'

I suspect browser patches will be out soon, removing trust for affected CAs entirely, not trusting them past a certain date, or at least giving warnings when MD5 signature verification is found along the chain of trust.

Re:A nice piece of work

[gknoy]

Will blacklisting the CA (locally on my machines) make any difference? (Perhaps a better question is, can I as an end-user do anything to protect myself from certificates issues from CAs that have not upgraded to better hashing?)

Re:A nice piece of work

[ALecs]

You seem to be able to disable root CAs in firefox. In "preferences" > "advanced" > "view certificates" > "authorities". FreeSSL is in there, listed as "startcom ltd". I guess we might all want to remove that now?

Re:A nice piece of work

[Rayban]

If you blacklist all CA's that use MD5 hashes in the root, you are likely safe (unless there's an unsafe intermediate somewhere).

IMHO, this needs a browser fix to mark any certificate with MD5 in its chain as potentially untrusted.

Re:A nice piece of work

[Tony+Hoyle]

No, RapidSSL/FreeSSL need to remove their MD5 CA from the trusted list. Merely stopping issuing new certs is not going to do anything - the entire trust chain is compromised until *all* MD5 CAs are removed from the trusted list. In practical terms that means they need to reissue all certs based on the old CA.

Re:A nice piece of work

[owlstead]

What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.

Almost correct, it is in fact an intermediate CA certificate. This can be used for certificate trees of 3 certificates in depth (or more). Of course, creating a "root CA" has very little effect, since you will have to include it into the secure store of the browser if you do.

Otherwise you are right on the money. It certainly won't matter to the end user what kind of certificate it is, root or intermediate.

Re:A nice piece of work

[blueg3]

What matters is not what hash is used in the root, but what algorithm newly-issued certificates can be hashed with. If the CA can be convinced to issue a certificate hashed with MD5, then it is susceptible to this attack. If newly-issued certs must use SHA1 or better, than it is not susceptible, even if the root certificate is hashed with MD5.

(Moreover, one could imagine that there is a root cert signed with SHA1, but the CA issues MD5-signed certs. This would also be vulnerable.)

Fortunately -- and not at all surprising, if you follow cryptography -- this attack requires that you craft two certs and get the CA to sign one. Computing a collision against a preexisting cert is still infeasible.

Re:A nice piece of work

[Rayban]

Yeah, parent comment is correct. MD5 roots are not important *yet*, though they may be an issue in the future when MD5 collisions can be created arbitrarily (versus using birthday attacks).

MD5 certs anywhere in the chain (with the exception of the trusted root) mean that the certificate is suspicious *today*.

Re:A nice piece of work

[blueg3]

To be more specific: if any certificate in the chain has both been issued by a CA (that is, it is not included in your list of "trusted certificates") and its signature includes only an MD5 hash, it is untrustworthy.

So far there is no known method for creating a string with a specified MD5 hash. In this regard, the only advantage SHA1 has over MD5 is hash length.

There are other serious problems that people seem to ignore over MD5's weakness. These CAs are not only not really doing much identity validation, they're violating a major cryptographic principle -- they are simply automatically signing data that is directly generated from user-supplied data. Having predictable serial numbers, validity times, and fields that can contain large amounts of arbitrary data is what allows this attack to work in the first place.

Re:A nice piece of work

[Z-MaxX]

It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.

Actually, they were PlayStation 3 machines. "Luckily it is also very suited for the special SPU cores of the Cell Processor that the Sony PlayStation 3 uses. We had about 200 PS3s at our disposal, located at the 'PlayStation Lab' of Arjen Lenstra at EPFL, Lausanne, Switzerland"

Re:A nice piece of work

[this+great+guy]

MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.

Well an upgrade would require end-user browser changes: MD5-based CA certs need to be removed from their trusted CA list.

Re:A nice piece of work

[this+great+guy]

Well an upgrade would require end-user browser changes: MD5-based CA certs need to be removed from their trusted CA list.

Let me reword that: certs of CAs still using MD5 to sign web site certs need to be removed from the browsers' trusted CA list (because even CA certs signed with SHA-1 can be exploited if they issue MD5-based web site certs).

Re:A nice piece of work

[PAjamian]

They've been able to create a trusted but phony certificate authority root certificate

Correction ... it's not a *root* certificate, it's a CA certificate which is chained off the vulnerable CA's root. That said the distinction is mostly meaningless as the certificate can be used to sign an unlimited number of certificates for any domain name anyways.

MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.

It only really has to be done by CA's. This attack doesn't make an existing web site's certificate any more vulnerable to anything, regardless of how it was signed.

Probably, RapidSSL and FreeSSL's trusted root cert should be pulled from IE and Netscape, and all certs from those sources re-issued using SHA-2 hashes.

That's much more than is necessary. If RapidSSL and FreeSSL starts signing their certificates with sha-1 then there really isn't anything that need be done from the browser end, otherwise browsers could not trust md5-signed chained roots from RapidSSL and FreeSSL (as I'm fairly certain that RapidSSL and FreeSSL does not issue those legitimately anyways).

Re:A nice piece of work

[ArsenneLupin]

After reading this article, I think that RapidSSL/FreeSSL should stop issuing certificates altogether.

Indeed. This MD5 issue is not the only problem that RapidSSL has. Their biggest issue is that they don't do any effort whatsoever to verify the requestor's identity. All the requestor has to do is:

1. Supply a phone number under which he can be reached
2. Prove that he can read e-mail sent to the domain to which he wants a certificate

The phone number is not verified, and using the number of a pre-paid mobile plan (or a callable phone booth) will work just fine.

Two may be a little bit tougher, until you think against what a certificate is supposed to protect: man-in-the-middle attacks.

So if the perp can get close enough to his target to mount a man-in-the-middle attack, he can also intercept mails sent to that target. Or, if the target is a webmail provider (hotmail, ...), he only needs to create one account out of the many allowed on the service.

Contrast this with other certification authorities, such as CA-Cert, which require a face-to-face verification with at least two volunteers which are trained and can be held responsible for errors.

Granted, domain ownership verification is not any more stringent than with RapidSSL (except for a smaller list of possible admin adresses), but at least in case of fraud, CaCert will have a chain of assurers leading to the perp in case of fraud, whereas RapidSSL would only have the number of a phone booth in a shady neighborhood.

Now, guess who is trusted by most browsers?

Yes, RapidSSL is, while CaCert isn't.

Missing option

[pjt33]

I'll set fire to CowboyNeal. That kills two birds with one stone: fuel and food.

Re:Missing option

[Ethanol-fueled]

Why dosen't Taco just open up Neal's corpse with a lightsaber and crawl inside?

Re:Missing option

[Chyeld]

Give a man a match, provide him light for a second.
Set a man on fire, provide him light for the rest of his life.

Re:Missing option

[kat_skan]

Good god. It'd be like fifty cubic miles of tire fire compressed into some degenerate phase of matter wearing size 59 pants. You'd probably kill every bird in the county.

Re:Missing option

[Drantin]

Set a man a fire, he'll be warm for a night.
Set a man afire, he'll be warm for the rest of his life.

Re:Missing option

[Tumbleweed]

Set a man a fire, he'll be warm for a night.
Set a man afire, he'll be warm for the rest of his life.

That reminds me of my personal motto: Immolation is the sincerest form of flattery.

Re:its only the CA's that use MD5 so the question

[perp]

If I understand the CCC's paper correctly, as long as *even one* of the CA certs trusted by the browser uses MD5, it is possible (with considerable effort) to create an intermediate CA cert that can be used to sign a cert for any FQDN, say paypal.com. Then with a little DNS poisoning, the user is directed to an https site, with a correct domain name and (if the user looks, not bloody likely) a perfectly good certificate that looks like it was signed by a cert that was signed by a cert trusted by the browser.

You don't have to create many rogue certs, all you have to to is create one rogue intermediate CA cert that can sign as many certs as you like, all of which will be accepted with the default browser config. This is what the CCC has done.

Insecure algorithm test tool

[vanbroup]

Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm

Example:
http://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

You can check all sites on:
http://www.networking4all.com/en/support/tools/site+check/

Re:Insecure algorithm test tool

[DavidB]

It would be nice if someone could make a Firefox plugin to do this same check.

Re:its only the CA's that use MD5 so the question

[MonkeyOnATypewriter]

From TFA, the CAs that use MD5 are these:

        * RapidSSL
            C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
        * FreeSSL (free trial certificates offered by RapidSSL)
            C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
        * TC TrustCenter AG
            C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
        * RSA Data Security
            C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        * Thawte
            C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
        * verisign.co.jp
            O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Rouge certificates are bad?

[frank_adrian314159]

OK, that's it! I'll only accept chartreuse and lavender certificates from now on. Maybe ivory, too.

Banking is typically slowest to change its crypto

[StandardCell]

Of all the industries that are slow to implement change in cryptographic practices, banking is by far the slowest. Part of this is bureaucratic inertia, part of this is lack of trust of newer algorithms until "proven" safe, and still part of this is reliance on legacy HSMs in their server facilities. Even the NSA has mandated a faster transition to better crypto (e.g. Suite B) than banking. Banking is still using 3DES instead of AES128, although for practical purposes brute-forcing 3DES at 112 bits of effective security isn't that much worse than AES' 128 bits. Banking won't move quickly unless someone starts stealing many thousands of high-profile accounts, but it'll be a bit like a buffalo stampede.

Still, it's mind-boggling that MD5 is still in use by anyone at this point given that it is susceptible to collisions. NSA Suite B is very clear that SHA2 256 is the minimum acceptable hash, and so it should be elsewhere regardless of your symmetric or asymmetric crypto. Back in the day when RSA512 was still used for PKI because of limited computing power, there might have been an excuse to stick to MD5. And yet, we all moved on to RSA1024 and RSA2048 because RSA512 was broken too. SHA2 is free, and it works. It really is time to move on from MD5 for all uses.

Funny enough that the entire security of the Internet as most users see it is based on the MD5 hash of the browser binary...

Reality check for Mozilla

[Burz]

First, this issue is about banks (for instance) verifying themselves to the client, not the other way around, so not sure how OTPs and such figure into this.

Overall, between the drama over one of Comodo's trustee CAs handing out certs without verification (for mozilla.com no less) and this MD5 attack, there is a lesson on this for Mozilla:

Trusted CAs aren't the epitome of web safety. In fact, they are LESS safe than one of those "Invalid" (to use Mozilla's ill-chosen words) self-signed certificates under some circumstances.

I put the ranking of https safety as follows:

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

2. Any self-generated cert (even self-signed) verified by SHA1 fingerprint "out of bank" (e.g. letter or phone call or even email) then imported into the browser. Unfortunately the easiest method to initiate this procedure (visit the site, verify then click on a button to import) is now somewhat broken in Firefox and will quite inappropriately undermine the user's confidence in what is otherwise a very secure cert.

3. Relying on the browser-trusted CAs. Unfortunately there now many of them which are obscure even in the tech community, and some are sloppy and incompetent.

Re:Reality check for Mozilla

[aj50]

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

If the certificate is imported into the browser as a trusted certificate you don't get the warning, that's the point.

The invalid warnings are for when the certificate has been sent over an untrusted connection and you have no assurance that the certificate is the correct one for the site. In this case, flashing a huge warning in the user's face is absolutely the right thing to do since at the moment, all legitimate online shops have a certificate verified by a third party.

The trusted third party solution we have currently is the most convenient since it's all automatic and transparent to the user. What we're recently finding is that some of these trusted third parties are not turstworthy.

Re:Reality check for Mozilla

[Burz]

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

If the certificate is imported into the browser as a trusted certificate you don't get the warning, that's the point.

The invalid warnings are for when the certificate has been sent over an untrusted connection and you have no assurance that the certificate is the correct one for the site. In this case, flashing a huge warning in the user's face is absolutely the right thing to do since at the moment, all legitimate online shops have a certificate verified by a third party.

Huge warning Yes; Incorrectly-worded warning that passes judgment on the cert before the user even wonders if it can be verified... NO.

The old behavior used a big warning without condemning the cert. Unfortunately it gave the used an option to just accept the cert and make a connect without even viewing it.

The correct change to make IMO would be to remove the "Continue" button and instead force the user to import the cert before continuing with a connection. Then the certs would be handled more like SSH keys; an attacker would have to maintain constant MITM from the user's first login in order to fool them - very unlikely.

More than that, the browser could show th SHA1 finger print in any/all cert warnings. This would encourage banks, merchants, etc. to start printing their fingerprints along with their URL on bank statements, invoices or other correspondence, facilitating a strong out-of-band verification.

The trusted third party solution we have currently is the most convenient since it's all automatic and transparent to the user. What we're recently finding is that some of these trusted third parties are not turstworthy.

I agree. But the transparency is bad in this case because the responsibility can only ever be in the user's hands; the web would have to become rigidly authoritarian otherwise. People need to be able to handle keys responsibly in the digital world as they do in the physical one. PC systems should make certs and keys more tangible to end-users, letting them grab, move, examine, collect and most importantly recognize them in a heartbeat. It should be possible to designate a flash card expressly for storing certs/keys and passwords to be carried around in one's wallet, purse or keychain.

Re:Reality check for Mozilla

[Feyr]

ingdirect's picture+phrase actually lowers your security through information disclosure. a hacker can phish for valid accounts by just trying random numbers and recording which one has a picture

i actually moved my banking elsewhere when they installed that, and did the same with my main checking account.

Re:Reality check for Mozilla

[jonadab]

> Trusted CAs aren't the epitome of web safety. In fact, they are LESS safe than one of those
> "Invalid" (to use Mozilla's ill-chosen words) self-signed certificates under some circumstances.

If you have a secure channel to verify that the self-signed cert is correct, you can add it to your approved list and treat it as valid. Actually the ideal way to do things like internal self-signed certs for an intranet site is to set up your own private CA (preferably on a physically-secured, non-networked system), add it to the trusted list in the clients, and use it to sign the server certs.

And yes, the second choice would be to do an out-of-band verification (as you describe) of each cert before accepting it.

But in the real world this is all a WHOLE lot more trouble than most ordinary end-users are willing to go to in order to verify the cert for each and every public https site they are visiting.

So we have trusted CAs, because the other options are A) forget about https entirely and do everything with http, B) give the user a stupid pointless annoying "accept this cert" button to mindlessly click on (no they will NOT actually read the message before clicking the Accept button), or C) just trust all certs no matter what. These options are all considerably worse than trusting the certificate authorities.

Of course, those are the options for what the browsers can do by *default*. If you are a knowledgeable user with concerns about security, you can always remove the CA certs from your trusted list and inspect every cert manually. It's a lot of trouble, but good security isn't always convenient.

There's also the small matter of the extensive overuse of https. It seems almost every site that lets you log in wants to protect the login with https, even the login doesn't protect anything more important than your preferences for some of the site's features and maybe an "about me" blurb that other users of the site can see by clicking on your name. Every webmaster wants to feel that his site is so uber-important that it would be a disaster if somebody's login got compromised, but with a few exceptions (e.g., banks) this is mostly just arrogance. I suppose an argument could be made that users tend to use the same username/password pair for many services, and one of the *other* services the user uses with the same login credentials could actually matter. But on the whole I think this is outweighed by the fact that having tens of billions of https sites on the internet fundamentally makes the PKI vastly more difficult to oversee and protect. IMO, using https on sites where the user's account fundamentally will never ever matter (e.g., slashdot) is silly, unnecessary, and collectively (if a lot of sites do it) bad for the security of the whole internet.

Re:Reality check for Mozilla

[mvdwege]

About Firefox new certificate warnings:

The old behavior used a big warning without condemning the cert. Unfortunately it gave the used an option to just accept the cert and make a connect without even viewing it.

Nice of you to say so. Then you go and show that you actually don't use FF3, or that you are just as oblivious as the users who clicked away the old warning:

The correct change to make IMO would be to remove the "Continue" button and instead force the user to import the cert before continuing with a connection.

This is exactly what FF3 does. Which you should have known if you had read the text of the warning and the dialog boxes following.

And where do you see user condemnation in FF3's prompts?

Mart

Re:its only the CA's that use MD5 so the question

[Tony+Hoyle]

Any CA that still uses MD5 should be removed from the list of trusted CAs in all browsers, with immediate effect.

Re:Not the end of the Internet...

[Rayban]

It's a problem for all websites. All you need to do is forge a certificate from Amazon that uses MD5 and redirect someone's browser via Wifi hacking or DNS redirection.

The browser doesn't know that Amazon didn't use Verisign's busted MD5 cert root.

Maybe a Firefox config setting

[McNihil]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

Re:Maybe a Firefox config setting

[kasperd]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

Interesting question. From the name it does sound like this option would do. But frankly I don't know how I would verify it. The article doesn't link to any proof of concept site. I wonder why they didn't setup an https server with a certificate signed by their rogue certificate. (They could have done so for a server they already control, so no mitm attack would be involved).

Re:Maybe a Firefox config setting

[u38cg]

They delibarately created their root certificate with an expiry date of 2004, in case it leaked. So there was no point creating a proof-of-concept as it wouldn't work anyway.

Re:Maybe a Firefox config setting

[kasperd]

They delibarately created their root certificate with an expiry date of 2004, in case it leaked. So there was no point creating a proof-of-concept as it wouldn't work anyway.

You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept. It wouldn't mean you could access the site directly with any normal browser, but at least you'd be able to see it if you really wanted to, and you could test any countermeasures against it. Come to think of it, they could also just publish such a signed certificate along with the secret key. An expired leaf certificate for an uninteresting domain is not useful for any phishing or mitm attacks anyway.

Re:Maybe a Firefox config setting

[julesh]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

I don't think so, no. First of all, I'd guess that that setting only applies to SSL3; the attacker could simply choose to use SSL2 instead. Secondly, I believe that this applies only to the MAC blocks that are used within the SSL protocol for validating the origin of data blocks; the certificates would be verified using an entirely separate code path that I do not believe honours the cipher options for the connections.

Look at it this way: you could *also* disable all the cipher options that use SHA. If that affected certificates, almost nothing would work.

Re:Maybe a Firefox config setting

[ArsenneLupin]

You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept.

Many browsers display the reason(s) why a certificate is rejected. So, in this case, it would say "Expired certificate and invalid CA in chain of trust"

Re:Maybe a Firefox config setting

[ArsenneLupin]

But frankly I don't know how I would verify it.

Well, it should barf on any site signed by RapidSSL, even legitimate ones. Does anybody have an example of a site signed by RapidSSL?

Another way to test it would be would to set up your own CA using openssl, import it into your browser, then create an MD5-signed sub CA certificate for it, and finally use the sub CA to make a certificate for your website. But does anybody know how to convince openssl to use MD5 rather than SHA-1 for signing certificates?

Re:Maybe a Firefox config setting

[kasperd]

Well, it should barf on any site signed by RapidSSL, even legitimate ones. Does anybody have an example of a site signed by RapidSSL?

You can't really be sure that it treats intermediate CA certificates the same way it treats leaf certificates unless you actually verified it.

Another way to test it would be would to set up your own CA using openssl, import it into your browser, then create an MD5-signed sub CA certificate for it, and finally use the sub CA to make a certificate for your website. But does anybody know how to convince openssl to use MD5 rather than SHA-1 for signing certificates?

I probably should try that, it would also give a slightly better feeling for how the signing process works in practice. But right now it would be nice to be able to verify this setting without going through the steps of setting up the entire chain.

Re:Maybe a Firefox config setting

[kasperd]

So, in this case, it would say "Expired certificate and invalid CA in chain of trust"

It wouldn't in the scenario I described. If you set the clock back the browser wouldn't consider the certificate to have expired. And to the browser the CA looks perfectly valid. Are you thinking about a different setup from the one I described?

Re:Maybe a Firefox config setting

[ArsenneLupin]

Not sure what you are going on about, I just tried to helpfully point out that many browsers actually do supply the reason(s) why a certificate was rejected in their popup message, even if there are multiple reasons. That way, you don't need to mess with the clock, because the browser will tell you whether the fact that the certificate was expired was the only reason why it was rejected, or whether there were other reasons as well.

We once had a case where a server had a certificate with 3 problems at once: expired, self-signed and mismatched hostname. Browsers pointed out all 3 problems together.

Re:Maybe a Firefox config setting

[kasperd]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

After reading about it on lwn.net, I learned that this setting does not protect you against this particular problem (but setting it to false doesn't hurt). I also learned that the certificate for lwn.net is signed using md5, so if the setting worked you would get a warning or error when trying to access lwn.net with https. If you want to try it out yourself here are two sites with md5 based certificates lwn.net and ssl247.com. It's just the leaves that are signed using md5, if the attack was used it would moste likely be an intermediate CA that was signed using md5. I tested this in both firefox and seamonkey, neither gave any warning.

Rouge students and some more insight

[owlstead]

Strange bunch of hackers. Don't expect some rouge students here, one is Arjen Lenstra, which is a well known figure in the security scene.

Very interesting to see that not only do they issue certificates using MD5 signatures (a very stupid thing to do) but they haven't even bothered to make sure that only leaf certificates can be issued. Or there are probably other CA certificates already issued under these root CA's, making matters even worse.

The article was very well written and thus easy to read. I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.

Hopefully SHA-1 will hold up a bit longer, because last time I looked (a year ago or somewhere in that order), there were zero (0!) certificates that were self signed using SHA-2, which is not a good indication of the current state at all.

Gosh, that's the second CA I've disabled within Firefox just this week. Interesting times.

Re:Rouge students and some more insight

[Simon+(S2)]

I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.

You can't really do anything about it. A man in the middle attack will always be possible. They generated a CA certificate, and with that cert they can sign self generated certs for every host they want, and the client browser will trust it. You, as a site owner, can't do anything about it. The attacker can spoof the dns response for www.bank.com, redirect the client to his own box with his own web server and valid certificate for www.bank.com and get all data the client sends him. As I sad, www.bank.com is not able to prevent anything in this case, even if they avoid the use of CAs that make use of MD5 for their certs.

Re:Rouge students and some more insight

[owlstead]

I don't think banks will be using MD5 at this point in time. RapidSSL does not seem to be a name for a CA that issues to banking sites (I could be wrong here, but I doubt it). At least the client (or an updated browser) will be able to check the certificate chain to see that it does not have the MD5 vulnerability if the chain doesn't have MD5 in it, if the certificate has been updated to hold a SHA-1 signature.

You only need one client that sees a problem with a site for the site to be taken down or put in the malware list used by modern (non-embedded?) browsers. So this might be a solution for some cases.

Re:Rouge students and some more insight

[Simon+(S2)]

I don't think banks will be using MD5 at this point in time.

That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.

Re:Rouge students and some more insight

[gclef]

I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue.

Unfortunately, no, they won't. An MD-5 signed intermediate cert can quite happily issue certs signed with SHA-1. (They did just this as part of their testing.) There's no requirement for the signing chain to be signed with the same algorithm.

The fact that your end certificate is SHA-1 signed really doesn't mean anything to the end user. If your cert is MD-5 signed, all that could possibly mean is that your CA at one time did something stupid. Whether it is still doing that stupid thing (or already did that stupid thing for an attacker) is something that the end user has no way of knowing...the end user really is basically screwed here.

Re:Rouge students and some more insight

[owlstead]

That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.

Of course, of course, this is true for the *current* browsers. Even then, it is possible for people to check the certificate chain manually. I do this regularly myself (I've got a separate browser instance - Firefox with a different profile - with just the right certificates in there for security means).

In future browsers I would like to see a warning when:
- MD5 or other insecure algorithms may have to be used (in the future other algorithms such as SHA-1, RSA-1024 or even TDES may be at risk)
- a site I've visited before (suddenly) changes certificates
- a CA certificate has been compromised or misused (same as with the current protection against fishing sites)

For now, sites should already go for SHA-1, if only to show to the user that *they* are not the problem. The user can then check the chain to see if there is any MD5. Of course, most users won't do this, but only a single one has to be attacked to find out something is wrong.

Out-phasing the MD5 root certificates (or at least those still signing certificate requests with MD5) should be the next logical step.

Re:Rouge students and some more insight

[owlstead]

If the administrator of a web site goes to a CA and request a SHA-1 certificate, if possible within a chain that only contains SHA-1 signatures, then the user of the site can be certain that this attack has not been taken place. Of course, the user or the browser still has to check that MD-5 has not been used (possibly outside of the self signed root certificate, where it is rather harmless).

Hoping this description fares better than the previous one.

Re:Rouge students and some more insight

[jesboat]

but they haven't even bothered to make sure that only leaf certificates can be issued.

Nope; the CA only signed a what you call a leaf certificate, but the constraint which determines whether a key can is a branch ("CA = true") or leaf ("CA = false") was part of the cert that they were able to change. See the last paragraph of section 5.1

Re:Rouge students and some more insight

[owlstead]

You, sir, are of course correct.

Free virus with a new account!

[oneiros27]

I can see this going the way of the digital picture frames.

Re:its only the CA's that use MD5 so the question

[peacefinder]

Ouch.

red certificates?

[speculatrix]

what's a rouge certificate - why does the colour matter? ah, I see, maybe the OP mean a rogue certificate!

Re:its only the CA's that use MD5 so the question

It's not quite as bad as it sounds. Their attack relies on guessing the certificate serial number and date correctly, which is easy with the CA they chose: RapidSSL uses a completely automatic workflow, issues certificates exactly 6 seconds after the signing request and uses sequential serial numbers. If the CA randomizes the signing date and serial numbers, they can prevent this attack. If this CA does that, and they've promised they will do this and/or switch to SHA-1 ASAP, then this hole is patched, for now. If at least one other CA exists which uses MD5 for signing certificates AND uses sequential serial numbers AND has predictable timing, then that CA is indeed an avenue to attack.

They have to guess these parameters because it's a collision attack: They can not create a new document with the same MD5 hash value as a given document (an existing certificate in this case). They can only create two documents with the same MD5 hash value, if they can add some arbitrary (random looking) bytes to both documents. They use the public key in the legitimate certificate to hide this "garbage". Consequentially the legitimate certificate is non-functional because the key in the certificate isn't an actual public key to which they know they private key. When the CA signs their legitimate certificate, with the right serial number and at the right time, it signs a document which is crafted to have the same MD5 as the other certificate. All other data can be chosen directly by the attacker and just has to conform to the formal specification of a certificate signing request (and look unsuspicious, hence hiding the garbage in the key). The other document (certificate) also has to be a formally valid certificate and can use arbitrary serial numbers and dates, as long as the garbage is hidden in a field that is ignored by the browser (Netscape comment field in their example).

Ok, KD5 must go

[marcosdumay]

To the hell with backward compatibility. Browsers should already have stoped accepting MD5 signatures by 2004. It was broken by that time, the fact that there was no known exploit did not make it any less bad. By that time people aready used alternatives and tought it would be broken soon, so why did CAs wait?

I hope that, now, the main browsers stop accepting it, and with all that noise about the way Firefox handles certificates, I hope it moves soon. Too bad we have IE6 that probably won't receive any kind of update.

Trusted Certificates in XP vs Vista

[kerubi]

Good conclusions. You write that RapidSSL and FreeSSL should be pulled from IE and Netscape.

Interesting point about this is, that there is only approx 30 Trusted CA:s in Windows Vista. Compared to how many in XP? 80-100 or so?

Seems that some have already been pulled?

Re:its only the CA's that use MD5 so the question

[SpaceLifeForm]

And that is what was done.

Link

A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

Re:its only the CA's that use MD5 so the question

[AVee]

They use the public key in the legitimate certificate to hide this "garbage". Consequentially the legitimate certificate is non-functional because the key in the certificate isn't an actual public key to which they know they private key.

So there is another check which would prevent this attack. The CA should verify the public key passed on to them, it would be a lot harder to create a request which would cause a collision. It seems to make sense to check in some way that the public key you are signing does indeed match a private key owned by the entity you are signing it for.

Re:You know what I hate?

[cbiltcliffe]

You're on /. and you've actually seen panties?

Stop making shit up.....

collision attacks are easy to identify

[conspirator57]

note that the collision attack requires a bit of junk in the cert to make the hash be the same as for the original... this means the junk will not look like the rest of the cert. the rest of the cert is formatted and the collision noise will look mostly random. a simple test for unexpected randomness in the cert data (including Netscape comments) would reveal this sort of mischief. it just takes a bit of code on the browser to look for it. shouldn't even degrade browsing performance too much.

Re:collision attacks are easy to identify

[makomk]

note that the collision attack requires a bit of junk in the cert to make the hash be the same as for the original... this means the junk will not look like the rest of the cert. the rest of the cert is formatted and the collision noise will look mostly random. a simple test for unexpected randomness in the cert data (including Netscape comments) would reveal this sort of mischief. it just takes a bit of code on the browser to look for it. shouldn't even degrade browsing performance too much.

For this attack, yes, but there may be other similar attacks which don't create this junk.

Re:collision attacks are easy to identify

[makomk]

The "junk" is embedded in the public key and not detectable by inspecting the certificate.

This is only true for the original, genuine certificate that the CA signs. In the malicious CA certificate, there is indeed junk embedded in a Netscape comment field that shouldn't be there.

The reason the junk isn't hidden in the public key is that, in order to mark the cert as a CA cert, they have to change a flag after the public key. Their method requires the certificates to be identical after the junk, so they have to do some clever tricks with alignment of the certificates.

Re:its only the CA's that use MD5 so the question

[SanityInAnarchy]

Thus rendering large portions of the SSL-enabled Web inaccessible, or at least having them throw up certificate warnings.

There really isn't a good solution here, given how poorly trained most users are, and how difficult it is to actually push updates to them.

MD5? And bigger problem?

[BigGerman]

I dont see any MD5 (only) signed CA certs in my Firefox. DO you?

On the other hand (and I think it is more serious). why there are so many CA certs installed by default? Why do I (apperently) trust anything signed by TURKTRUST ELECTRONIK? ;-)

Re:its only the CA's that use MD5 so the question

[Mashiki]

While I agree it's not a good solution and until the problem is fixed there isn't going to be one. Some people are just too stupid to learn, others are too lazy and the rest don't care until it affects them, and that leaves everyone else to fix the problem or make sure that you break their fingers for them so they don't get their bank/cc/*insert various money exchange* information stolen.

And you can bet there will be hell to pay the first time it happens and people will scream bloody murder because it will be anyones fault but theirs for not learning in the first place.

Mod parent up

Constraining the content allowed in certificate files should improve the robustness of certificate files.

This approach is notable in that it requires updating SSL implementations to be more stringent -- but it generally shouldn't require changes in the x509 data. Some considerations:

• New certificates can be backward compatible with unpatched SSL implementations.
• Most old certificates can be forward compatible with patched SSL implementations. The problem cases will come from esoteric "Extensions".
• Unpatched SSL implementations remain vulnerable.
• A huge range of SSL implementations can be patched by vendors' automatic update mechanisms.
• Each vendor can set its own timeline for deploying a patch.
• This type of patch would not be peculiar to MD5 -- it should mitigate the damage caused by weaknesses in current and future hash algorithms.

IANAPC,BIRACBBS!

Re:You know what I hate?

Probably wears 'em.

Not to mention...

[argent]

Not to mention that many governments would not need to break the root CA.

They could just "ask" the CA to write them as many certificates as they like. Given what the Bush Administration's already got away with, there's no reason to assume any CA is really secure in any country.

With SSH, a certificate/key change would at least be flagged as suspicious, but would a browser even so much as raise an alert as long as the new certificate is properly signed and all that?

Indeed. I've been boggled by the byzantine labyrinth of certificate authorities when for most situations the mechanism used by SSH is better.

Insult to injury

[GeekDork]

To add the two, I got an inline ad to this in this thread. (Konqueror helpfully offered to open it in KWrite.)

not a one-time pad

[SethJohnson]

My bank at least also uses a one-time pad system, namely a numbered list of 100 pre-generated codes.

Just to let you know, that's not a one-time pad. Unless you can only perform 100 logins with that pad. "If a one-time pad is used just twice, simple mathematical operations can reduce it to a running key cipher."

Re:not a one-time pad

[jonbryce]

For payroll transfers submitted by fax, most British banks use a one time pad to verify the fax is legit.

You get a sheet of 12 passwords, in the form of labels that you peel off and stick on the transfer form. When you have used up the sheet, you get a new one with a different set of 12 passwords on it.

Re:not a one-time pad

[KDR_11k]

The TANs are used per transaction, not per login. Not sure they're OTPs though, might be a bit short for that and the bank doesn't know which one of your 100 codes you'll enter next so using them as OTPs wouldn't work. Wikipedia sounds like the point is to give you a physical object (the TAN list) that you must possess in addition to the password that you memorize to get two factor authentification.

Oxymoron

[John+Hasler]

> These certificates are at the basis of truth on secure websites.

"Secure Website" is an oxymoron.

Research Rainbow tables..

[Junta]

It's not a magical MD5 sum cracker, it's just a way of having an index of pre-computed strings that checksum to various values.

The only ubiquitous usage that is vulnerable to this attack is Microsoft SAM database. Many one-off applications similarly implement unsalted hashes. Unices salt passwords and are therefore not inclined to suffer. It doesn't matter the hashing algorithm in use, they are not particularly differently susceptible to this sort of attack. Note also that cracking the hashes in the SAM database is not even required, as NTLM has the client provide the pre-computed hash instead of password. It's really an extra-braindead architecture.

how to check your certs

[Morty]

# the below are bash functions for checking cert files
#   and web servers cert signature algorithms.
# note: they are non-recursive, i.e. you see the algorithm
#   used to sign the cert, not the algorithm that was used
#   to sign the cert that signed the cert.

# morty: call like openssl_cert_signature_algorithm CERT_FILE
openssl_cert_signature_algorithm(){
  local file
  local algorithms status
  for file in "$@"; do
    algorithms=$(
      openssl x509 -in "$file" -text -noout |
      grep -i "Signature Algorithm"|
      sed 's,^ *Signature Algorithm: *,,'|
      sort -u)
    case "$algorithms" in
      *md5*) status=BAD;;
      *sha1*|*sha2*) status=GOOD;;
      *) status=unknown;;
    esac
    echo "file: $file status: $status algorithms: $algorithms"
  done
}

The following can be used to test a server:

# morty: call like: openssl_server_md5_signature www.google.com:443 www.amazon.com:443
openssl_server_md5_signature(){
  local server
  local algorithms status
  for server in "$@"; do
    algorithms=$(
      openssl s_client -connect "$server" </dev/null 2>/dev/null | \
      openssl x509 -in /dev/fd/0 -text -noout |
      grep -i "Signature Algorithm"|
      sed 's,^ *Signature Algorithm: *,,'|
      sort -u)
    case "$algorithms" in
      *md5*) status=BAD;;
      *sha1*|*sha2*) status=GOOD;;
      *) status=unknown;;
    esac
    echo "server: $server status: $status algorithms: $algorithms"
  done
}

Re:how to check your certs

[julesh]

Not that there's any actual point in checking your own certificates. The weakness in MD5 doesn't allow them to generate a certificate that matches yours with their own signature, it only allows them to generate their own certificate with whatever data they want. Basically: the algorithm used by your cert is irrelevant.

I wouldn't panic (yet) if you're still using an MD5-signed certificate. Generating collisions with MD5 (so far) requires you to generate both halves of the collision. As long as you produced your own cert, that isn't a problem for you.

This attack, OTOH, is a problem for _everyone_.

Re:how to check your certs

[Morty]

I suspect that many people will react to this problem by either disabling support for the affected CAs or by disabling support for MD5 certs. In either case, people who have innocent MD5 certs will be collateral damage. So best to get off MD5 certs now.

Re:how to check your certs

[julesh]

The number of people who would know how to do this is vanishingly small. At a guess the fallout will be that over the next month or so all the relevant CAs will fix their procedures and the problem will go away.

Re:Obligatory Futurama

[ta+bu+shi+da+yu]

Oh, I don't know. "What you think is sheep shit .... it's really Tasty Wheat" seems about right to me.

Re:its only the CA's that use MD5 so the question

[kasperd]

Any CA that still uses MD5 should be removed from the list of trusted CAs in all browsers, with immediate effect.

Why? It would be much better to just remove the MD5 support from the browser.

Re:its only the CA's that use MD5 so the question

[kasperd]

So there is another check which would prevent this attack. The CA should verify the public key passed on to them, it would be a lot harder to create a request which would cause a collision.

According to the article, the CA does verify it. Only the first part of the modulus is random garbage created by the collision algorithm. Once they have a collision, they can choose the rest of the certificate, so they choose the remaining part of the modulus in a way that together with the random garbage make up a valid RSA modulus.

Re:its only the CA's that use MD5 so the question

[PAjamian]

If I understand the CCC's paper correctly, as long as *even one* of the CA certs trusted by the browser uses MD5,

Not quite, but close. It doesn't matter what the CA's cert uses, what matters is the encryption the CA uses to sign *your* cert. The difference here is that everyone need not have to get their browser updated with new root certs to avoid this problem. All that needs to happen is that CA's need to stop signing certs with md5.

Re:Enough about Kaminsky, seriously.

[rtfa-troll]

Kaminski is an internet Meme. Complaining that a security story mentions him is like complaining that Cmdr Taco isn't related to sex godesses (who would you most like to have home for a beer? Jolie / Johansson / Pressly / Bundchen / Aston / Casta / Cmdr Taco). You just seem like a total pervy loser.

Re:You know what I hate?

[julesh]

You're on /. and you've actually seen panties?

Stop making shit up.....

Psssst. I know this great lingerie shop that's got racks and racks of the things, all out on display... do you wanna know the address?

Who's responsible for the mis-uses?

[ug93tad]

OK, let me try if I can restate the problem first, then I'll give the question:

So:
1. You want the CA to *sign* a rouge certificate by having it fooled into signing a legitimate, hash-colluded one.
2. In order to do that, you must carefully choose the legit certificate and ask the CA to sign, while using the rouge ones for bad things.

Now clearly when asking the CA to sign, you ought to agree with some of the legal stuff from the CA. The problem I see lies in this scenarios:
(a) You use the bad certificate to do bad things that affect me.
(b) I somehow trace it back to the problem of the certificate being rouge/malicious, etc. I further backtrack the CA tree and found the one that sign your legit certificate.
(c) I file a law suit, and the CA that signed your cert will then know that its misused signature is for you. Then you'll get into troubles.

SO YOU'RE SHOOTING YOURSELF IN THE FOOT.

You can say that's the way it is, since one of your millions enemies may have framed you. Well, I think it's in many order of magnitude more difficult finding a hash-collisioned certificate to a random legit one. So I don't think so.