Chicago (IL) – One of the cornerstones of Internet security may not be as solid as generally believed: A team of researchers said they successfully created a rogue certification authority (CA) to create digital certificates that are accepted by all major web browser – and not just those that are running on PCs. The discovery could prompt a new wave of phishing attacks and the adoption of more secure cryptographic standards on the Internet.
It is not really a secret that careless browsing on the Internet can expose a computing device to security threats and that a decent security software package as well as good portion of common sense is necessary when using the Internet today. Just like in real life, you just don’t walk into dark alleys at night. But sometimes the threat surfaces in broad daylight and that seems what security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found in this case.
At the 25C3 security congress in Berlin, they described a security issue in the Internet digital certificate infrastructure that apparently allows attackers to forge certificates that are fully trusted by all popular web browsers. In theory, the discovery would allow an attacker to perfectly impersonate secure websites and email servers to carry out phishing attacks. In that case, the common security certificate we often rely on to determine whether a site is secure or not, may be worthless.
Digital certificates are issued by just a few trusted Certification Authorities (CAs) and are employed in secure sites whose URL usually starts with “https” instead of the common “http”. For example, banks use digital certificates for online banking. To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. However, the researchers claim that these algorithms, known as MD5, are not secure.
The claim they were able to create a rogue certification authority (CA) that is “trusted by all major web browsers and a cluster of more than 200 commercially available game consoles” by using an advanced implementation of a strategy called collision attack. Collision attacks at MD5 were first demonstrated in 2004, which created two different messages with the same digital signature. In 2007, collision attacks were advanced and enabled researchers to create virtually any two messages they wanted.
The creation of a rogue CA closes the circle and reveals a giant security problem in the global Internet. The limits in the creation of digital certificates have been removed and could create virtually undetectable phishing attacks: “For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting,” the researchers said. “The web browser could then receive a forged certificate that will be erroneously trusted, and users' passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.”
"The major browsers and Internet players - such as Mozilla and Microsoft - have been contacted to inform them of our discovery and some have already taken action to better protect their users," said Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms. "To prevent any damage from occurring, the certificate we created had a validity of only one month - August 2004 - which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security."
The problem is clearly MD5 and even if there may not be any exploits in the wild, the demonstrated vulnerability may spark a new race between finding effective exploits and a new, more secure technology. "It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," Lenstra said.