Why should you care about a vulnerability in SSL? What is SSL anyway? Well…..if you never bank online or buy anything online, you’ve no cause for concern. But if you do, please at least read the takeaway action item, OK?
The whole ecommerce sector relies on the secure sockets layer (SSL) for encryption of transmissions and security certificates for trust. See the earlier Hot Dorkage post Credit Card Security Online for a simple explanation of how encryption and trust are meant to work hand in hand to keep you safe.
Recently, however, with the aid of some power hacking, an exploit has been discovered in SSL.
The SSL certificate is assurance from a trusted third party that the party in question is who they claim to be. Credit Card Security Online goes into further detail about how this works. Certificates are identified by their hashes, which are supposed to be unique. There are several methods of generating hashes, the oldest among these being the MD5 method. If you could carefully craft a certificate request and get a legitimate issuer to give you a certificate with the same hash as some other certificate, you can effectively impersonate that other certificate. The theory of cryptography is that doing this would require more computing power and expense than anyone could afford. However, using a bank of 200 PS3’s cryptographers have indeed managed to craft certificate requests that generate colliding MD5 hashes. This Tech Republic posting has geeky details and links to articles with even more geeky details if you’re interested, which, if you are like most people, you’re probably not.
The bottom line is that, combined with some better known hacking techniques, such as Fake DNS trojans (described in our phishing article) you could be schlepped to a malicious site, and all the SSL protocols would appear to work just fine.
The good news is:
- MD5 encryption has been largely replaced by more up-to-date methods called SHA-1 and SHA-2.
- this can’t be done by some pimplefaced kid on a discarded laptop
- so far it’s the white hats (good guys) doing it.
Some cryptographers make the case that in theory it is possible to break the SHA-1 hashing method this same way, though there is no proof that anyone has done it. The SHA-2 method would require much more computing power to break.
What you can do is follow the instructions in the Tech Republic posting to look at the certificates in your browser and find out if there are any using the MD5 algorithm for the signature. I sampled mine, and all of them that I looked at were SHA-1 or SHA-2. So I don’t think it’s a critical issue at this time, but whenever white hats produce a proof of concept like this, black hats aren’t far behind in exploiting it for nefarious purposes. The bigger risk, in my opinion, is web surfers who ignore security certificate warnings and go ahead and give data to any shmoe who asks for it.