Network News

X My Profile
View More Activity

One Weak Link to Rule Them All

It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce.

washingtonpost.com ran an in-depth story I wrote about their findings, along with a sidebar explaining the weakness in a bit more detail. Long story short:

sslteam.JPG

An international team of security experts (pictured at right, thanks to Alexander Klink) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your information.

Web users are taught early on to look for that padlock and https:// connection when shopping or banking online. Those are features denoting that a Web site has been vetted by a certificate authority (CA), a company that issues digital certificates that are supposed to show that the Web site has been vetted and is protecting all transactions from any would-be eavesdroppers.

There are dozens of CAs in business today. Trouble is, a handful of them still rely on an outdated and insecure encryption method (called MD5) to sign their certificates. What the researchers showed was that they could use those weaknesses to effectively duplicate the signing authority for several CAs, allowing them to forge a certificate corresponding to any address on the Web.

From the story:

Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.

The worst part about this attack is that Web browsers such as Microsoft's Internet Explorer and Mozilla's Firefox are automatically configured to accept any certificates signed by an approved CA. As a result, an attacker using the team's method could create a counterfeit certificate for virtually any Web site -- regardless of the strength of the cryptography used by the signing CA -- as long as the browser implicitly trusts certificates issued by at least one CA that uses the vulnerable encryption scheme.

Ed Felten, a professor of computer science at Princeton University, delves into this a bit more, as does an easy-to-read post from Purdue University's Gene Spafford.

The security threat here goes well beyond spoofing Web sites or phishing (think Web-based e-mail, for starters). But I've read/heard mixed views from experts on whether this is something the average user should be concerned about.

For his part, Spafford said the fix will take time and won't be easy, and that it's difficult to see how the end user could be expected to do much about it in the meantime:

We can try to educate end-users about this, but the problem is so complicated with technical details, the average person won't know how to actually make a determination about valid certificates. It might even cause more harm by leading people to distrust valid certificates by mistake!

Spafford notes that far too many people take for granted technologies that make the Internet work properly, until those technologies and assumptions start to break down.

"If you look at the way our systems are constructed, too little thought is given to what happens to existing infrastructure when something breaks. Designs can include compensating and recovery code, but doing so requires some cost in space or time. However, all too often people are willing to avoid the investment by putting off the danger to 'if and when that happens.' Thus, we instance such as the Y2K problems and the issues here with potentially rogue CAs."

Bruce Schneier, a noted cryptography expert and security gadfly, praised the researchers for their work, but said the average Internet user is no less secure because of their findings.

"Don't get me wrong: This is really good research, and it's a nice demonstration of fundamental flaw, but I don't see this as changing much," Schneier said. "Ask yourself this: When was the last time you checked the validity of a [SSL certificate]? The reality is that good SSL certificates do not improve security at all, because nobody bothers to check them. I mean, I'm a security guy, and I don't do it.

The CA system is broken, but it works because broken systems tend to be better for society, which needs fluidity in the face of complicated social constructs," Schneier said. "Systems that are broken but work are very common in the real world: Front door locks are surprisingly pickable. Think of faxed signatures, for example. It's a ridiculous form of authentication, yet people trust these documents all the time for very important stuff."

Ultimately, it's not clear what Internet users really can do to shield themselves against this type of attack. A few months ago, I wrote about a plug-in for Firefox called "Perspectives" that may help users spot a counterfeit SSL certificate. When a Perspectives user visits a Web site that uses an SSL cert, the browser plugin queries at least four different "notary" servers and asks them for their observations about the cert in question. The servers respond with information about which key they see being offered by the Web site in question at the moment, and which keys they have seen in the past for that same domain.

The Perspectives add-on may or may not help diminish the threat from this attack. I'd be interested to hear from readers with other ideas. Please sound off in the comments below.

Update, Dec. 31, 1:17 p.m. ET: Verisign's Tim Callan just posted a blog entry saying that "this attack has been rendered ineffective for all SSL Certificates available from VeriSign." This appears to be progress from where Verisign was with respect to this when I interviewed Callan two days ago. The post continues: "We have been in the process of phasing out the MD5 hashing algorithm for a long time now. MD5 is not in use in most VeriSign certificates for most applications, and until this morning our roadmap had us discontinuing the last use of MD5 in our customers' certificates before the end of January, 2009. Today's presentation showed how to combine MD5 collision attacks with some other clever bits of hacking to create a false certificate. We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009."

By Brian Krebs  |  December 30, 2008; 5:50 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Beware Holiday e-Greeting Cards, Digital Hitchhikers
Next: Phishers Now Twittering Their Scams

Comments

"Ask yourself this: When was the last time you checked the validity of a [SSL certificate]?
----------
I always check for the SSL signs but trying to convince others to do it is like talking to a wall.

I hope more banks implement 2-way verification like INGDirect, Vanguard and BoA where they supply a pre-selected image after you enter your id but before you enter your password. This provides the assurance that you are indeed at their web site and not an impostor's.

Posted by: SanDiegoTim | December 30, 2008 11:08 PM | Report abuse

>I hope more banks implement 2-way verification like INGDirect, Vanguard and BoA where they supply a pre-selected image after you enter your id but before you enter your password. This provides the assurance that you are indeed at their web site and not an impostor's.

Even multi factor authentication such as above would not help in detecting this problem because everything else checks out properly, including cookies, etc which are part of the pre-selected image validation algorithms.

Only something like the "perspectives" plugin or manually reviewing the certificate and noticing that it has changed for no apparent reason. But noticing that it has changed is of no help in deciding whether it is valid and can be trusted.

Posted by: moike | December 31, 2008 9:02 AM | Report abuse

Since the researchers can manipulate the certificate, they *may* be able to fake an Extended Validation (EV) certificate. A quick spot check of some major banks shows that they don't use EV certificates anyway - which is funny because all early EV examples used banks as examples of sites that should have EV certificates.

Posted by: moike | December 31, 2008 9:16 AM | Report abuse

@Brian,
Looks like the Mozilla page for the Perspectives add-on is not current for Firefox 3.0.5 - the authors post a non-https link on their website which encourages users to violate at least two safe browsing guidelines for Firefox (downloading add-ons from an unknown website and doing it over a non-SSL connection). Although with this vulnerability at hand that latter one may be moot.

@
Students: Dan Wendlandt and Ethan Jackson
Advisers: Dave Andersen and Adrian Perrig
Would you be so kind as to post your update to Mozilla? Apologies if I missed it in my search.

Posted by: ohiomc | December 31, 2008 10:30 AM | Report abuse

Spafford says it best: "...the problem is so complicated with technical details, the average person won't know how to actually make a determination..." I do check SSL certs religiously, but sometimes I doubt the veracity of what I'm actually looking at. In short, this is further proof that SSL is in need of a HUGE overhaul -- not only a technology that is harder for scammers to duplicate but higher standards from those issuing certs (CAs). The encryption itself is fine, it's just everything around the encryption that causes problems. I personally think EV SSL (ya know, the "green url bar" thing) has the potential to considerably improve on regular SSL, if it becomes widely adopted. To my knowledge, the green url bar and EV padlock are currently not possible for phishers to copy.

Also glad to see Verisign staying on top of the issue, since most certs are through them...

Posted by: glimpsing | December 31, 2008 3:13 PM | Report abuse

How about providing a list (or link to a list) of CA's still using an MD5 hash algorithms for their certificates so people can remove them from their list of certificates. When those companies reissue them, people can import them.

Posted by: ginigma | January 1, 2009 10:49 PM | Report abuse

SanDiegoTim,
Image and Phrase solutions are not secure and back on Oct 8th 2008, CUNA sent out an Alert to all Credit Unions regarding Image & Phrase, Challenge/Response Questions, and the use of IP Addresses for accessing security. Many FI's are in process of changing to more secure methods than Picture security. Most users do not even look at their Image when accessing their account. It is also a know fact that Image security provides no protection against a MITM attack or even a simple Keylogger attack.

Posted by: mangelinovich | January 5, 2009 2:07 PM | Report abuse

I don't think you folks are understanding the threat.

There is nothing Verisign or any of the other CAs who have recently been using MD5 signatures can do at this point to recover from this attack, other than to revoke any CA certificates they've used in conjunction with MD5 signatures for the last couple of years and have these CA certs removed from all trusted certificate stores. This is an arduous task that is doomed to be incomplete.

The reason for this is that, any time in the last couple of years, someone may *already* have performed this attack to sign an intermediate ("chained") CA certificate with a validity period of his choosing, with which he can sign any other certificate *indefinitely*. If this has occurred, then ceasing use of MD5 at this point is closing the barn door after the animals have escaped.

Given that people have been talking about this attack ever since serious collision attacks were discovered in MD5, I would guess that at least one party has accomplished this. Verisign, as usual, takes the cake for publishing what amounts to, in the kindest light, sales propaganda, and in the harshest light, a flat out lie.

It also doesn't matter how well people inspect their certificates, because the big threat here is in automated systems that don't require user interaction, or even allow for inspection of certificates. For example, does anyone know what Microsoft Update requires as authentication of its source for downloads?

Note that any intermediate CA certificate an attacker may have forged using this technique may also have code signing and email certificate issuing capabilities, meaning that it could be used to sign Active X controls using a forged certificate with a subject such as microsoft.com. Unlike with the https vector, attacking the email signature or code signing paths doesn't require any subversion (DNS or routing-based) of the path to a web server.

SSL has always been poorly conceived. The CAs have undermined it practically to uselessness already with their failure to authenticate subjects properly. This attack is just icing on that rotting fruitcake, but it's not icing that can be scraped off with a small procedural change and a press release.

Posted by: bug45 | January 5, 2009 7:45 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company