Outdated Security Threatens Web Commerce

By John Markoff

UPDATED 11:48 a.m.: Added more information about a 2001 certificate problem that involved Microsoft.

A team of United States and European computer security researchers have used a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet.

The attack is possible because a handful of commercial organizations that provide components of the basic security infrastructure of the Internet are using an older security technology — despite years of warnings that it is now potentially obsolete. The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today’s Web browsers. It could also be used to subvert e-mail communications and other applications that use cryptographic software for authentication and security.

The demonstration underscores that the commercial infrastructure of the Internet, as well as its privacy and security, are based on an advanced branch of mathematics that in the future may become vulnerable to more powerful computing systems and more clever attackers.

Today’s browsers display a tiny image of a padlock when a user has a secure connection to a Web site. This is intended to provide evidence that the Web site is legitimate, as the browser and the site exchange digital certificates provided by a certificate authority — a trusted third party.

Researchers have proved they can create fake certificates that will be accepted by the security system.

Although most certificate authorities have shifted to a more modern digital fingerprinting algorithm known as SHA-1, a small number have not. The digital certificate system is designed in such a way that if a single certificate authority can be compromised, it is possible for an attacker to mass-produce forged certificates that undermine the “web of trust” the entire system is based on. It relies on public key cryptography, a system in which each user creates a public and private key — long numbers — to help mathematically prove their identity and encrypt and decrypt information.

The results of the research were announced Tuesday afternoon in a paper the researchers presented at a technical conference in Berlin. The flaw is contained in an algorithm known as MD5, which is widely used to produce unique digital fingerprints. The weakness had first been discovered in 2004 by a group of Chinese researchers, but at the time, it still required vast amounts of computing to produce a forged certificate.

But the group of independent cryptographers and mathematicians, based in California, the Centrum Voor Wiskunde en Informatica and Eindhoven University of Technology in the Netherlands and the École Polytechnique Fédérale de Lausanne in Switzerland, were able to create a “collision” — generating two different messages sharing an identical signature — in just three days of computing. The researchers estimated that it would take a typical desktop machine about 32 years to perform the same calculations.

The researchers said that by creating a fake certificate, they had demonstrated that a critical part of the Internet security infrastructure is not safe. To ensure that it was not used for criminal purposes, Arjen Lenstra, the head of E.P.F.L.’s Laboratory for Cryptologic Algorithms, said they had created the certificate to be valid for only one month, August 2004, as a proof of concept.

Computer security specialists were divided on the significance of the exploit.

“This is good research,” said Bruce Schneier, chief security technology officer for British Telecom. “But in the scheme of things, how many people do we know who rely on these certificates for anything? When was the last time you checked your browser certificates to make sure they’re good?”

Others said that the researchers had done a valuable service by exposing lax practices in the industry.

“It’s shocking that a commercial certificate authority is still using only MD5,” said Paul Kocher, president and chief scientist of Cryptography Inc., a San Francisco-based computer security firm. “Although the problems with MD5 have been known for ages, the paper does an clever job of demonstrating how a badly run certification authority can be subverted.”

“It impacts 99 percent of the browser infrastructure and it goes beyond Web browsers,” said Jacob Appelbaum, an independent computer security researcher based in San Francisco. Also potentially affected are e-mail and chat servers and online collaboration systems.

Although the MD5-only certificate authorities were not identified in the paper, one of the California-based researchers, Alexander Sotirov, said that two low-cost providers of digital certificates, RapidSSL and FreeSSL, relied on the vulnerable protocol. Both of them are owned by Geotrust, a Mountain View, Calif., company that was acquired earlier this year by VeriSign. Mr. Sotirov said that the researchers had contacted the firm and that it was ending its reliance on the MD5 algorithm. Researchers said they were also investigating a Japan-based firm that appears to rely solely on MD5.

The certificate authority system has been subverted in the past. One case occurred in 2001, when VeriSign issued certificates to a person claiming to represent Microsoft. Because the certificates had the name “Microsoft Corporation,” they could have been used to convince someone that fraudulent software updates came from the software publisher. (Microsoft offered a software patch to deal with the problem.)

Comments are no longer being accepted.

Networking4all December 30, 2008 · 1:12 pm

Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm

Example:
https://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

You can check all sites on:
https://www.networking4all.com/en/support/tools/site+check/

Steverino December 30, 2008 · 2:22 pm

Shop at well-known on-line stores, check the URL displayed in the address window (especially if redirected anywhere), and you have a 99.999% chance of being perfectly safe.

These “boogie-man” kind of stories provide jobs for security consultants and little other benefit.

Jeffrey W. Baker December 30, 2008 · 5:38 pm

I strenuously disagree with Steverino @2:22pm. Suppose you were in a cafe using the provided Wi-Fi network. You cannot trust the DNS results and therefore cannot trust the address in the address bar (unless you are using IPSec and DNSSEC together, which is an extremely difficult thing to do for most users). With today’s revelation, an attacker could return a bad address for amazon.com, and use a fake certificate that your browser nevertheless accepts, and you will be none the wiser. You will happily type in your credit card number because the address bar says “amazon.com” and the little padlock is highlighted. This is a serious vulnerability that is very easily exploited.

JWM December 30, 2008 · 5:58 pm

Not really, especially as its entirely possible to trick a computer into going to a site that looks completely authentic. If hackers a few years ago could convince multiple CEO’s that the hackers were actually prosecutors bringing charges against them, exactly how difficult is it to convince a computer its on the Microsoft homepage?

Tim Callan December 30, 2008 · 7:23 pm

FYI, VeriSign closed this security hole about five hours after learning about it: https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

George McIlvaine December 30, 2008 · 7:51 pm

It is a significant risk regardless of the percentages. If 99.9999 % of activities are secure, then one in 1,0000,000 is not. It only takes one insecure transaction to clean out a large account.

johnnykrisma December 31, 2008 · 10:28 am

While I agree with Jeffrey Baker, I would never ever log into any sensitive areas involving monetary transactions on a public wi-fi network. Now perhaps most people don’t realize the chance they’re taking, but to me, even without this hack, that’s dangerous.

Benjamin December 31, 2008 · 12:16 pm

Steverino —

In a recent thread on the Firefox bugzilla, it was noted that what had been reported as a bug was actually a man-in-the-middle attack, resulting from the use of a third party wireless network. The attack was detected because of the use of fraudulent SSL certificates and the extensive warnings Firefox gives before allowing the use of such certificates. Read the thread for yourself:

https://bugzilla.mozilla.org/show_bug.cgi?id=460374

The risks are real, and the use of MD5 hashes to sign digital certificates in this day and age is a very bad idea.

— Ben

Sergei Petrov December 31, 2008 · 12:47 pm

One of the defining issues for the immediate future and the health of the world economy is the safety and security of the internet.
Unfortunately, even a brief look at the daily news tells us that we are not only losing the war to protect our privacy and information online, we have not even won any battles of consequence lately. It is no longer a question of “if” or “when” but rather of “how soon” before a perfect storm of cyber crime may conquer cyberspace. We have grown so dependent on the internet in all aspects of our lives that the effect could be truly catastrophic: not only could it destroy economies, businesses, public institutions and ruin many lives, it could also tear the very fabric of our society and create social unrest on a global scale. The damage would probably be on the order of the global economic meltdown currently underway, with even wider implications that could defy hope of repairing it in any foreseeable future.
There are possible solutions:
//www.dtagrit.com

but they do require our focus, attention and, most important, the wiliness to deal with problem now, before the catastrophic collapse.

Morton December 31, 2008 · 3:56 pm

So, I was there at the Berlin conference and while taken on it’s own, the demonstration was interesting, taken together with two other topics discussed at the conference it becomes a lot more worrying. We are still coping with the DNS and the Debian RNG mess. The fact that not all DNS servers have been patched to close a serious bug, means that resolving names to IP addresses will still be susceptible to attack. The fact that the Debian Linux Random Number Generator was broken for so long has consequences for all software distributed for Debian. Taken all together, attacks may now be possible against the Internet infrastructure affecting our ability to trust any connection and authentication we use.

Thomas Whitney January 8, 2009 · 4:42 pm

The point being that as the digital landscape shifts, the ethical use of technology for the purpose of digital security must shift to meet its needs. Whether it be smart chips in our bank cards to protect our assets or our passports that protect our identity from theft, the underlying truth his that walking the streets of your favorite city at night is no different than trolling through the internet during the daytime. It requires a high level of confidence and street smarts.