Why should you care about a vulnerability in SSL? What is SSL anyway? Well…..if you never bank online or buy anything online, you’ve no cause for concern. But if you do, please at least read the takeaway action item, OK?
The whole ecommerce sector relies on the secure sockets layer (SSL) for encryption of transmissions and security certificates for trust. See the earlier Hot Dorkage post Credit Card Security Online for a simple explanation of how encryption and trust are meant to work hand in hand to keep you safe.
Recently, however, with the aid of some power hacking, an exploit has been discovered in SSL.
The Exploit
The SSL certificate is assurance from a trusted third party that the party in question is who they claim to be. Credit Card Security Online goes into further detail about how this works. Certificates are identified by their hashes, which are supposed to be unique. There are several methods of generating hashes, the oldest among these being the MD5 method. If you could carefully craft a certificate request and get a legitimate issuer to give you a certificate with the same hash as some other certificate, you can effectively impersonate that other certificate. The theory of cryptography is that doing this would require more computing power and expense than anyone could afford. However, using a bank of 200 PS3’s cryptographers have indeed managed to craft certificate requests that generate colliding MD5 hashes. This Tech Republic posting has geeky details and links to articles with even more geeky details if you’re interested, which, if you are like most people, you’re probably not.
The bottom line is that, combined with some better known hacking techniques, such as Fake DNS trojans (described in our phishing article) you could be schlepped to a malicious site, and all the SSL protocols would appear to work just fine.
The good news is:
- MD5 encryption has been largely replaced by more up-to-date methods called SHA-1 and SHA-2.
- this can’t be done by some pimplefaced kid on a discarded laptop
- so far it’s the white hats (good guys) doing it.
Some cryptographers make the case that in theory it is possible to break the SHA-1 hashing method this same way, though there is no proof that anyone has done it. The SHA-2 method would require much more computing power to break.
What you can do is follow the instructions in the Tech Republic posting to look at the certificates in your browser and find out if there are any using the MD5 algorithm for the signature. I sampled mine, and all of them that I looked at were SHA-1 or SHA-2. So I don’t think it’s a critical issue at this time, but whenever white hats produce a proof of concept like this, black hats aren’t far behind in exploiting it for nefarious purposes. The bigger risk, in my opinion, is web surfers who ignore security certificate warnings and go ahead and give data to any shmoe who asks for it.
Listen to this post 
hi Colleen,
Just to clarify, this is a problem for people shopping or doing other things that they think are secure, and not for people with an ssl e-store, right?
The problem is that you can be tricked into being at the wrong website, not that a trusted website has been hacked.
Am I right? Or, more importantly, are you saying that website e-stores are at risk of being hacked?
Steve, Pinnacle Trade Show Booths
yes, this is more about hacking the consumer than the estore guy. no breaking into anybody’s site occurs, but it is more likely to succeed at luring someone to give creds out to a bogus site, because all the SSL would appear to work. It would more likely to be used to impersonate a bank or something where the hacker stands to get a lot of money by controlling somebody’s account. It’s pretty theoretical at this moment, but these theoretical things have ways of becoming real hacks. You heard about it here first.
Few days back i heard twitter accounts are getting hacked … but don’t know the reason y someone wanna hack twitter accounts ? like this many hackers try to hack paypal accounts us and pass too … lol
like this there are many other programs too for phishing users online … most of the newbies get into this and not many webmasters i think so:)
The twitter phish/hack was a garden variety hack. Someone GUESSED an admin password for some twitter employee then used that to get creds for high profile users.
Twitter is so easy to hack it isn’t even interesting. All you would do is say you had the next killer Twitter app. and ask people to give you their creds. The problem with Twitter is that some cool things that are nice to automate actually do need the creds. Most app creators are extremely respectful and use them for what they say they are doing.