MD5 Weakness Allows Fake SSL Certificates To Be Created

New research published today demonstrates how someone could use a weakness in the MD5 signatures allow people to make fake SSL certificates that look like they were signed by a real certificate authority. First read their summary:

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

As a result of this successfull attack, we are currently in possession of a rogue Certification Authority certificate. This certificate will be accepted as valid and trusted by all common browsers, because it appears to be signed by one of the root CAs that browsers trust by default. In turn, any website certificate signed by our rogue CA will be trusted as well. If an unsuspecting user is a victim of a man-in-the-middle attack using such a certificate, they will be assured that the connection is secure through all common security indicators: a "https://" url in the address bar, a closed padlock and messages such as "This certificate is OK" if they chose to inspect the certificate.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites.

The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.

The vulnerability we expose is not in the SSL protocol or the web servers and browsers that implement it, but in the Public Key Infrastructure. This infrastructure has applications in other areas than the web, but we have not investigated all other possible attack scenarios. So other attack scenarios beyond the web are conceivable, such as in the areas of code signing, e-mail security, and in other areas that use certificates for enabling digital signatures or public key encryption.

The paper goes on to explain the process without revealing enough detail to duplicate their results.

What does it mean?

Though the MD5 algorithm has been known to be vulnerable for several years, there are some CAs that still use certificates with MD5 signatures. Thankfully most are using algorithms such as SHA-1. With enough time and smarts someone could spoof one of these MD5 and start issuing certificates for phising websites as a trusted CA. This means that CAs need to stop using MD5 as soon as possible. VeriSign claims to have already fixed all problems with MD5 hashes even with RapidSSL. How do we know whether any fake certificates have been created yet? We can't bee 100% sure but the researchers who published the paper are very confident that it would be unlikely at this point. Microsoft has commented that they are unaware of any current attacks. 

EV Certificates

What kind of certificates won't be affected by this? EV certificates. Because the EV Guidelines require the use of SHA algorithms for signing EV certificates, a phisher won't be able to issue any EV certificates. So as long as you have an EV certificate and your customers know to look for the green address bar, it doesn't matter if someone is running their own rogue CA. They won't be able to set up a phishing site that has an EV certificate. This, and the recent domain-validated Comodo reseller experience, may prompt more people to start using EV certificates.

Links

• Read the full research in the article "MD5 considered harmful today"
• View the MD5 vulnerability presentation
• Read the SlashDot comments about the MD5 research
• Read Microsoft's Advisory "Research proves feasibility of collision attacks against MD5"
• VeriSign's Tim Callan's response "This morning's MD5 attack - resolved"
• SSL: Really broken this time
• Check SSL Certificates for the Vulnerable MD5 Algorithm

Originally posted on Tue Dec 30, 2008

Comments

Stefan Wenig(2014-12-13)

You write: "... EV Guidelines require the use of SHA algorithms for signing EV certificates" However, the document http://cabforum.org/EV_Cert... from the page you link to lists MD5 as "NOT RECOMMENDED", but still supported for Root CA Certs. How are EV certificates safe from MD5 exploits then? One possible explanation could be that no actual MD5-signed Root CA Certs are shipped with browsers, which would be a prerequisite for the creation of a rogue CA; and that browsers would not accept MD5-signed certs lower in the cert chain. Is this what you mean?

Robert(2014-12-13)

Thanks for pointing that out Stefan. As far as I understand it, the MD5 vulnerability doesn't affect root certificates. In addition, none of the current EV roots use MD5 signatures.