By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, December 30, 2008 10:29 AM
An international team of computer security researchers demonstrated today a key weakness in the Internet infrastructure that could let hackers launch virtually undetectable attacks aimed at intercepting secured online communications when consumers visit bank and e-commerce Web sites.
Academic and private security and cryptography experts from the Netherlands, Switzerland and the United States said they have found a way to mimic the digital identity and authority assigned to RapidSSL, a company that helps Internet users correctly distinguish legitimate Web sites from counterfeit or hostile sites.
RapidSSL is one of dozens of companies, trusted by makers of Internet browsers, to act as so-called "certificate authorities," or CAs for short. CAs issue digital security credentials designed to uniquely identity Web sites. In the process of issuing a certificate, for example, CAs are required to conduct basic background checks to ensure that the applicant has a legitimate claim to the Web site name listed in the requested certificate.
E-commerce and banking sites use these certificates in combination with secure sockets layer (SSL) technology, an encryption scheme designed to ensure that sensitive data transmitted between the site and visiting Web browsers is scrambled and cannot be read by potential eavesdroppers. For example, when Internet users visit a Web site that begins with https://, a small padlock symbol appears in the user's Web browser window indicating a secure connection that's using an SSL certificate issued by one of the approved CAs.
The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.
Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.
"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."
Appelbaum, perhaps best know for his leading role on recent research into so-called "cold boot" attacks, techniques that can break some of the most widely used forms of computer data encryption, said the group took precautions to ensure that its work could not be copied, at least not immediately.
"A highly skilled researcher and programmer who has been working in this area before might duplicate our work in a month," Appelbaum said. "Starting from scratch without prior understanding of the techniques used will be far more challenging and might take a particularly dedicated and smart individual three or more months."
The team also does not plan to release all of the details about the improved methods (ppt) it used to duplicate the CA for several months. They also have intentionally hobbled the usefulness of the rogue CA they created by outfitting it with an expiration date that has already passed. In order to actively participate in today's live demonstration, conference attendees were asked to set their system clocks back to August 2004.
Appelbaum said the team's research shows that the reliability of the modern CA system, as with most security systems, is only as strong as its weakest link. Web browsers such as Microsoft's Internet Explorer and Mozilla's Firefox are automatically configured to accept any certificates signed by an approved CA. As a result, an attacker using the team's method could create a counterfeit certificate for virtually any Web site -- regardless of the strength of the cryptography used by the signing CA -- as long as the browser implicitly trusts certificates issued by at least one CA that uses the vulnerable encryption scheme.
Tim Callan, vice president of marketing at Verisign, said the company -- which recently acquired Geo-Trust, RapidSSL's parent firm -- learned from Microsoft last week that the research was going to be presented. However, Callan said Microsoft was briefed under a non-disclosure agreement with the researchers and so was prohibited from passing along any significant details of the research.
"We are not in a position right now where we can tell you whether this attack works and whether it's something to be concerned about or not, because nobody has shared detailed information with us," Callan said.
Callan said Verisign has been phasing out MD5 in favor of more secure signing algorithms amongst its CA properties for the past couple of years, and expects to finish the process in January 2009.
"If it turns out that some clever security researchers have come up with an attack that would further weaken MD5, we may take an even more aggressive stance" in shifting to more complex encryption algorithms, Callan said.
Appelbaum said that his group's attorneys advised against giving Verisign advance notice, citing the possibility that the company could convince a judge that it was in the best interests of public safety to prevent the researchers from publicly presenting their findings.
"Our lawyers advised us that telling the CA about this increases the chances of us getting into serious legal trouble that may ultimately prevent us from speaking about it," Appelbaum said.
Gene Spafford, a professor of computer science at Purdue University, said he was not privy to the details of the research, but that a cyber criminal in control of a rogue CA could conduct very effective phishing attacks, scams that use e-mail to lure people into giving away personal and financial data at fake bank and e-commerce sites.
"If I as an attacker can either recreate someone else's certificate with a valid signature by pointing to my fake domain, or if I am able to alter certificates on-the-fly in some way, that gives me a real advantage for conducting a number of spoofing attacks, and makes phishing much more possible and believable," Spafford said.
Others in the computer security community, however, do not see this as a crucial threat.
Bruce Schneier, a noted cryptography expert and security gadfly, praised the researchers for their work, but said the average Internet user is no less secure because of their findings.
"Don't get me wrong: This is really good research, and it's a nice demonstration of fundamental flaw, but I don't see this as changing much," Schneier said. "Ask yourself this: When was the last time you checked the validity of a [SSL certificate]? The reality is that good SSL certificates do not improve security at all, because nobody bothers to check them. I mean, I'm a security guy, and I don't do it."
The National Institute of Standards and Technology (NIST) is hosting a contest to find a set of solid replacements for the current crop of certificate encryption options widely used today.
Schneier said researchers would continue to pick apart new encryption and hashing schemes. In fact, NIST announced on its Web site that three of the 51 teams have already acknowledged significant weaknesses in their proposed schemes, after having holes poked in their methods by competing teams.
"The CA system is broken, but it works because broken systems tend to be better for society, which needs fluidity in the face of complicated social constructs," Schneier said. "Systems that are broken but work are very common in the real world: Front door locks are surprisingly pickable. Think of faxed signatures, for example. It's a ridiculous form of authentication, yet people trust these documents all the time for very important stuff."