VeriSign Inc. is addressing a flaw discovered in the MD5 hash algorithm that could be used by attackers to create...
false SSL certificates.
Digital certificates are used as part of the trust infrastructure on the Internet to prove the legitimacy and security of a website. A method, discovered by a team of seven researchers, exploits a weakness in the MD5 hash function to construct a rogue certificate authority and issue digital certificates that will be trusted by all of the common Web browsers in use today. The researchers delivered the details Dec. 30 at the Chaos Communication Congress in Berlin.
Most certificate authorities (CA) have already moved away from MD5 in favor of the newer SHA-1 hash function. The attack cannot be used against those CAs.
Tim Callan, a product manager for VeriSign's SSL business unit, said the company completely switched to the more secure SHA-1 algorithm for its new RapidSSL brand certificates. The vendor said it would also replace md5-based certificates for existing customers free of charge.
"We've confirmed that all other SSL certificates we sell are not vulnerable to this attack," Callan wrote in a blog posting. "We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January 2009."
Meanwhile, Microsoft issued an advisory telling customers that it was unaware of any specific attacks against MD5. Microsoft urged customers to contact their issuing Certificate Authority for guidance.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," Microsoft said in its advisory.
Damian Hasse, an engineer with the Microsoft Security Response Center, said serious weaknesses in MD5 have been known for many years. Hasse said the new Extended Validation certificates are not affected by the bug. EV SSL is supported by Internet Explorer 7, Mozilla Firefox and Opera browsers and highlight the address bar in green to confirm a legitimate website.
"It is because of these weaknesses that MD5 is banned in new code under the Microsoft Security Development Lifecycle (SDL)," Hasse wrote in the Microsoft Security Vulnerability Research and Defense blog.
Johnathan Nightingale of Mozilla Foundation advised users to "exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections." In a post on the Mozilla Security blog, Nightingale wrote Mozilla was working with certificate authorities to ensure their issuing processes are updated to prevent this threat.