Experts find new weakness in Internet security
1 min read
Independent security researchers have found a weakness in the Internet digital certificate infrastructure that allows attackers to forge certificates that are fully trusted by all commonly used web browsers.
The discovery emerged from work in California, the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology in the Netherlands.
Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, says that as a result of the weakness, it is possible to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks – meaning that visiting secure websites is not as safe as it should be and is believed to be.
He explains that when users visit a website whose URL starts with ‘https’, a small padlock symbol appears in the browser window, indicating that the website is secured using a digital certificate. To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The team of researchers has discovered that one of these algorithms, known as MD5, can be misused.
The first significant weakness was presented in 2004 at the annual cryptology conference Crypto by a team of Chinese researchers. They had managed to pull off a so-called collision attack and were able to create two different messages with the same digital signature.
But a much stronger collision construction was announced by the researchers from CWI, EPFL and TU/e in May 2007. Their method showed that it was possible to have almost complete freedom in the choice of both messages.
The team of researchers has now discovered that it is possible to create a rogue certification authority (CA) that is trusted by all major web browsers by using an advanced implementation of the collision construction and a cluster of more than 200 commercially available game consoles.
“The major browsers and Internet players – such as Mozilla and Microsoft – have been contacted to inform them of our discovery and some have already taken action to better protect their users,” says Lenstra. “To prevent any damage from occurring, the certificate we created had a validity of only one month – August 2004 – which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security.”
