SSL Vulnerability alert!

Why should you care about a vulnerability in SSL? What is SSL anyway? Well…..if you never bank online or buy anything online, you’ve no cause for concern. But if you do, please at least read the takeaway action item, OK?

The whole ecommerce sector relies on the secure sockets layer (SSL) for encryption of transmissions and security certificates for trust.   See the earlier Hot Dorkage post Credit Card Security Online for a simple explanation of how encryption and trust are meant to work hand in hand to keep you safe.

Recently, however, with the aid of  some power hacking, an exploit has been discovered in SSL. 

The Exploit

The SSL certificate is assurance from a trusted third party that the party in question is  who they claim to be.   Credit Card Security Online goes into further detail about how this works.   Certificates are identified by their hashes, which are supposed to be unique.  There are several methods of generating hashes, the oldest among these being the MD5 method.   If you could carefully craft a certificate request and get a legitimate issuer to give you a certificate with the same hash as some other certificate, you can effectively impersonate that other certificate.  The theory of cryptography is that doing this would require more computing power and expense than anyone could afford.  However, using a bank of 200 PS3’s cryptographers have indeed managed to craft certificate requests that generate colliding MD5 hashes. This Tech Republic posting has geeky details and links to articles with even more geeky details if you’re interested, which, if you are like most people, you’re probably not.

The bottom line is that, combined with some better known hacking techniques, such as Fake DNS trojans (described in our phishing article) you could be schlepped to a malicious site, and all the SSL protocols would appear to work just fine.

The good news is:

  • MD5 encryption has been largely replaced by   more up-to-date methods  called SHA-1 and SHA-2.
  • this can’t be done by some pimplefaced kid on a discarded laptop
  • so far it’s the white hats (good guys) doing it.

Some cryptographers make the case that in theory it is possible to break the  SHA-1 hashing method this same way, though  there is no proof that anyone has done it.  The SHA-2 method would require much more computing power to break.

What you can do is follow the instructions in the Tech Republic posting to look at  the certificates in your browser and find out if there are any using the MD5 algorithm for the signature.  I sampled mine, and all of them that I looked at were SHA-1 or SHA-2.    So I don’t think it’s a critical issue at this time, but whenever white hats produce a proof of concept like this, black hats aren’t far behind in exploiting it for nefarious purposes.    The bigger risk, in my opinion,  is web surfers who ignore security certificate warnings and go ahead and give data to any shmoe who asks for it.

12 comments to SSL Vulnerability alert!

  • hi Colleen,
    Just to clarify, this is a problem for people shopping or doing other things that they think are secure, and not for people with an ssl e-store, right?
    The problem is that you can be tricked into being at the wrong website, not that a trusted website has been hacked.
    Am I right? Or, more importantly, are you saying that website e-stores are at risk of being hacked?
    Steve, Pinnacle Trade Show Booths

  • yes, this is more about hacking the consumer than the estore guy. no breaking into anybody’s site occurs, but it is more likely to succeed at luring someone to give creds out to a bogus site, because all the SSL would appear to work. It would more likely to be used to impersonate a bank or something where the hacker stands to get a lot of money by controlling somebody’s account. It’s pretty theoretical at this moment, but these theoretical things have ways of becoming real hacks. You heard about it here first.

  • Few days back i heard twitter accounts are getting hacked … but don’t know the reason y someone wanna hack twitter accounts ? like this many hackers try to hack paypal accounts us and pass too … lol

    like this there are many other programs too for phishing users online … most of the newbies get into this and not many webmasters i think so:)

  • admin

    The twitter phish/hack was a garden variety hack. Someone GUESSED an admin password for some twitter employee then used that to get creds for high profile users.

    Twitter is so easy to hack it isn’t even interesting. All you would do is say you had the next killer Twitter app. and ask people to give you their creds. The problem with Twitter is that some cool things that are nice to automate actually do need the creds. Most app creators are extremely respectful and use them for what they say they are doing.

  • yeah so for those that aren’t quite as tech savvy you should be looking for a domain with https:// at the beginning when you are entering your credit card.

  • Thanks for the alert =] i hope you have a good valentines day!

  • A thoughtful opinion and ideas I will use on my blog. You’ve obviously spent a lot of time on this. Congratulations!

  • I’ll gear this review to 2 types of people: current Zune owners who are considering an upgrade, and people trying to decide between a Zune and an iPod. (There are other players worth considering out there, like the Sony Walkman X, but I hope this gives you enough info to make an informed decision of the Zune vs players other than the iPod line as well.)

  • Pretty good article. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be coming back and I hope you post again soon.

  • It sounds like you’re creating problems yourself by seeking to solve this issue instead of hunting at why their is a problem in the 1st place. thanks !! extremely valuable publish!

  • Colleen

    Dunno how I’m creating the problems by seeking a solution, friend. I didn’t publish exactly how they did it, and you would need a raft of computers to actually do it anyway. We know the root cause, that there IS enough computing power available to break it, which still isn’t the case for some of the higher bitcount algos.

  • Great information on SSL vulnerability. This has been a concern of mine for some time now. As technology advances, online businesses need to keep up with the technology to maintain security for the business and it’s users.

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.