Updated at 3:30 p.m. PST with Microsoft comment, at 1:50 p.m. PST with VeriSign comment, at 10 a.m. PST with comment from cryptography expert Paul Kocher, and at 9 a.m. PST to reflect that presentation has taken place and include comment from cryptography expert Bruce Schneier.
BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.
They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.
The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years.
Yet if one group can do it today, others eventually will. "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.
Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://". SSL certificates essentially stand for the claim that, for instance, etrade.com actually belongs to E-Trade Inc., and is not being operated by a thief hoping to steal account passwords.
Most browsers indicate that SSL is active by displaying a small padlock icon. An attack using a forged authentication certificate--which is what the researchers say they have done--is insidious because the browser can't detect it and the padlock icon would still appear.
Unlike most security issues, this problem cannot be fixed with a simple software update. "The bug is not in anyone's software," Sotirov said. "It's not the browser that's at fault. The browser does exactly what it's supposed to do... The problem is that what it's supposed to do is wrong."
The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.
An SSL certificate is a small file that ties a real-world corporate identity to a Web site address and a corresponding public encryption key. This is presented to a private certificate authority firm, which is supposed to verify the link between identity and domain name and then cryptographically "sign" the certificate to vouch for it.
The problem arises when someone else is able to forge the same signature.
VeriSign, which operates the largest certificate authority in the world, learned of the vulnerability early on Tuesday and acted quickly to close the hole in its certificates, according to Tim Callan, vice president of product marketing at the company.
"We went into our systems and removed the MD5 algorith and replaced it with SHA-1 (Secure Hashing Algorith)," he said. "You can not get an SSL certificate from VeriSign now that is subject to this attack." More information from VeriSign is available on Callan's SSL blog.
VeriSign was in the process of phasing out MD5 before the issue came up and is now on track to have it entirely out of commission in January, Callan said. "On balance, public key infrastructure works extraordinarily well," he said when asked if the vulnerability illustrated a need to change the trust model.
Microsoft, while noting that the issue wasn't a vulnerability with one of its products, tried to downplay the threat to users in a security advisory Monday.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," the advisory said.
A 1991-era protocol, but modern problems
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.
As CNET News reported in 2004, flaws discovered at that time "could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure algorithm is used." Then, in 2007, Arjen Lenstra of Bell Laboratories Switzerland, with Marc Stevens and Benne de Weger of TU Eindhoven, demonstrated a technique to construct two new certificates with different content but the same fingerprint.
Although security researchers had been worrying, and recommending that other alternatives be considered, nobody had yet demonstrated how to exploit this theoretical flaw in a practical attack.
Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.
The process amounted to transferring a photograph from a real ID to a fake by carefully matching the holographic security markers.
The rogue certificate can then be used to sign any other certificate of the attacker's choosing--such as one which assures Web browsers that a malicious phishing site is actually the legitimate etrade.com or bankofamerica.com.
After three unsuccessful attempts, each of which required approximately three days of compute time on a cluster of 200 PlayStation 3s, the researchers obtained a forged certificate authority in early November, at which time they notified browser developers and certificate authorities, or CAs, about the security flaw. Molnar estimates that the same processing time could be purchased from Amazon for about $1,500.
The team decided to disclose the vulnerability at the Berlin conference in hopes that the news will encourage everyone involved to fix the problem quickly. "The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)
By itself, the MD5-certificate-forging vulnerability wouldn't be too worrisome. That's because it relies on criminals being able to capture Web traffic to display a fraudulent Web site. But setting up a fake wireless access point to lure unsuspecting neighbors or business travelers is trivial, and a program released earlier this year to attack the domain name system (DNS) provides another way to direct Internet traffic for malicious purposes.
While only a few CAs currently sign certificates with MD5, Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement."
In an interview on Tuesday morning, cryptography expert Bruce Schneier praised the research but downplayed the real-world consequences of the findings.
"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," he said.
"This is good work, great cryptography. I love the research, but this doesn't matter a whit," Schneier added. "There are half a dozen ways to forge certificates and nobody checks them anyway."
Paul Kocher, president of Cryptography Research and an architect of the SSL 3.0 protocol, said the exploit highlights the need for a new universal hash function "that everyone is comfortable with."
"The paper is not a surprise, but at the same time it's the crispest demonstration for why it's necessary to remove this broken algorithm everywhere it is being used," he said, before adding "there are bigger things to worry about, like browser bugs and operating security bugs."
The researchers have created a Web site signed with a forged certificate which can be viewed here. The forged certificate was backdated so that it could not be used maliciously even if stolen from researchers, so you have to reset your system clock to August 2004 to view it.
Even though their work may be controversial, the researchers view their efforts as fundamental to creating a more secure Internet. "I don't want to be hit by this type of attack either," Sotirov said. "I use the Internet too."
The author is a freelance contributor to CNET News and is not an employee of CBS Interactive. His Web site can be found at jonathanstray.com.