Researchers Hack Internet Security Infrastructure
International Team Discovers Way to Mimic Digital Identity
Tuesday, December 30, 2008; 10:29 AM
An international team of computer security researchers demonstrated today a key weakness in the Internet infrastructure that could let hackers launch virtually undetectable attacks aimed at intercepting secured online communications when consumers visit bank and e-commerce Web sites.
Academic and private security and cryptography experts from the Netherlands, Switzerland and the United States said they have found a way to mimic the digital identity and authority assigned to RapidSSL, a company that helps Internet users correctly distinguish legitimate Web sites from counterfeit or hostile sites.
RapidSSL is one of dozens of companies, trusted by makers of Internet browsers, to act as so-called "certificate authorities," or CAs for short. CAs issue digital security credentials designed to uniquely identity Web sites. In the process of issuing a certificate, for example, CAs are required to conduct basic background checks to ensure that the applicant has a legitimate claim to the Web site name listed in the requested certificate.
E-commerce and banking sites use these certificates in combination with secure sockets layer (SSL) technology, an encryption scheme designed to ensure that sensitive data transmitted between the site and visiting Web browsers is scrambled and cannot be read by potential eavesdroppers. For example, when Internet users visit a Web site that begins with https:/
The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.
Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.
"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."
Appelbaum, perhaps best know for his leading role on recent research into so-called "cold boot" attacks, techniques that can break some of the most widely used forms of computer data encryption, said the group took precautions to ensure that its work could not be copied, at least not immediately.
"A highly skilled researcher and programmer who has been working in this area before might duplicate our work in a month," Appelbaum said. "Starting from scratch without prior understanding of the techniques used will be far more challenging and might take a particularly dedicated and smart individual three or more months."
The team also does not plan to release all of the details about the improved methods (ppt) it used to duplicate the CA for several months. They also have intentionally hobbled the usefulness of the rogue CA they created by outfitting it with an expiration date that has already passed. In order to actively participate in today's live demonstration, conference attendees were asked to set their system clocks back to August 2004.
Appelbaum said the team's research shows that the reliability of the modern CA system, as with most security systems, is only as strong as its weakest link. Web browsers such as Microsoft's Internet Explorer and Mozilla's Firefox are automatically configured to accept any certificates signed by an approved CA. As a result, an attacker using the team's method could create a counterfeit certificate for virtually any Web site -- regardless of the strength of the cryptography used by the signing CA -- as long as the browser implicitly trusts certificates issued by at least one CA that uses the vulnerable encryption scheme.