Researchers on Tuesday demonstrated an attack that allowed them to successfully create a rogue Certification Authority (CA) certificate, which would be trusted by all web browsers and allow an attacker to impersonate any website, including those secured by the HTTPS protocol.
Jacob Appelbaum and Alexander Sotirov presented the research at the 25th Chaos Communication Congress in Berlin during a presentation called “MD5 considered harmful today.”
The research team was comprised of Sotirov, Appelbaum and David Molnar of the United States; Marc Stevens and Benne de Weger of the Netherlands; and Dag Arne Osvik and Arjen Lenstra of Switzerland.
They identified a vulnerability in the internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. The weakness exists in the MD5 cryptographic hash function, which allows the construction of different messages with the same MD5 hash — known as an MD5 “collision,” according to their research paper.
In other words, criminals would be able to create a fake CA certificate, which would be trusted by the web browsers, allowing them to display any website as SSL-secured — represented by the padlock at the corner of the page. Specifically, attackers would be able to perform transparent man-in-the-middle attacks against SSL connections and monitor or tamper with the traffic to secure websites or email servers.
“This successful proof-of-concept shows that the certificate validation performed by browsers can be subverted, and malicious attackers might be able to monitor or tamper with data sent to secure websites,” Sotirov wrote in a blog post on the project’s website.
Appelbaum and Sotirov said in their presentation that MD5 has been “broken” since 2004, when the first collision attack was identified. In 2007, another, stronger collision attack against the MD5 hash function was identified.
While warnings against MD5 signing have been made since 2004, it is still used today by the certification authorities, including RapidSSL, FreeSSL, TrustCenter, RSA Data Security, Thawte, and verisign.co.jp.
CAs that are still using MD5 are recommended to transition to more secure cryptographic hash functions, such as SHA-1 or more preferably, SHA-2. Appelbaum and Sotirov said that the affected CAs have been notified and will be switching to the SHA-1 hash function “very, very soon.”
Microsoft, maker of the popular Internet Explorer browser, said it is calling on CAs to take the researchers’ advice.
“This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information,” according to a Tuesday security advisory from the software giant. “Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm.”